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About this Book and the Library 


The Setup Guide provides instructions for installing the NetIQ Identity Manager (Identity Manager) 
product. This guide describes the process for installing individual components in a distributed 
environment. 


Intended Audience 


This book provides information for identity architects and identity administrators responsible for 
installing the components necessary for building an identity management solution for their 
organization. 


Other Information in the Library 


For more information about the library for Identity Manager, see the Identity Manager documentation 
website. 
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About NetIQ Corporation 


We are a global, enterprise software company, with a focus on the three persistent challenges in your 
environment: Change, complexity and risk—and how we can help you control them. 


Our Viewpoint 


Adapting to change and managing complexity and risk are nothing new 


In fact, of all the challenges you face, these are perhaps the most prominent variables that deny 
you the control you need to securely measure, monitor, and manage your physical, virtual, and 
cloud computing environments. 

Enabling critical business services, better and faster 


We believe that providing as much control as possible to IT organizations is the only way to 
enable timelier and cost effective delivery of services. Persistent pressures like change and 
complexity will only continue to increase as organizations continue to change and the 
technologies needed to manage them become inherently more complex. 


Our Philosophy 


Selling intelligent solutions, not just software 


In order to provide reliable control, we first make sure we understand the real-world scenarios in 
which IT organizations like yours operate—day in and day out. That's the only way we can 
develop practical, intelligent IT solutions that successfully yield proven, measurable results. And 
that's so much more rewarding than simply selling software. 

Driving your success is our passion 


We place your success at the heart of how we do business. From product inception to 
deployment, we understand that you need IT solutions that work well and integrate seamlessly 
with your existing investments; you need ongoing support and training post-deployment; and you 
need someone that is truly easy to work with—for a change. Ultimately, when you succeed, we 
all succeed. 


Our Solutions 


¢ Identity & Access Governance 

+ Access Management 

¢ Security Management 

¢ Systems & Application Management 
+ Workload Management 

¢ Service Management 
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Contacting Sales Support 


For questions about products, pricing, and capabilities, contact your local partner. If you cannot 
contact your partner, contact our Sales Support team. 


Worldwide: www.netig.com/about_netiq/officelocations.asp 
United States and Canada: 1-888-323-6768 

Email: info@netig.com 

Website: www.netig.com 


Contacting Technical Support 


For specific product issues, contact our Technical Support team. 


Worldwide: www.netig.com/support/contactinfo.asp 
North and South America: 1-713-418-5555 

Europe, Middle East, and Africa: +353 (0) 91-782 677 

Email: support@netig.com 

Website: www.netigq.com/support 


Contacting Documentation Support 


Our goal is to provide documentation that meets your needs. The documentation for this product is 
available on the NetIQ website in HTML and PDF formats on a page that does not require you to log 
in. If you have suggestions for documentation improvements, click comment on this topic at the 
bottom of any page in the HTML version of the documentation posted at www.netig.com/ 
documentation. You can also email Documentation-Feedback@netig.com. We value your input and 
look forward to hearing from you. 


Contacting the Online User Community 


NetIQ Communities, the NetIQ online community, is a collaborative network connecting you to your 
peers and NetIQ experts. By providing more immediate information, useful links to helpful resources, 
and access to NetIQ experts, NetIQ Communities helps ensure you are mastering the knowledge you 
need to realize the full potential of IT investments upon which you rely. For more information, visit 
community.netiq.com. 
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Planning to Install Identity Manager 


This section guides you through planning your Identity Manager installation. If you want to install a 
configuration that is not identified in this section, or if you have any questions, contact NetlQ 
Technical Support (https://www.netig.com/support/). 


¢ Chapter 1, “Planning Overview,” on page 15 
¢ Chapter 2, “Considerations for Installing Identity Manager Components,” on page 23 


Planning to Install Identity Manager 
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Planning Overview 


This section helps you plan the installation process for Identity Manager. You must install the 

components in a specific order because the installation program of some components requires 
access to previously installed components. For example, you should install and configure the Identity 
Manager engine before installing Identity Applications. 


+ 


+ 


+ 


Section 1.1, “Implementation Checklist,” on page 15 


Section 1.2, “Recommended Installation Scenarios and Server Setup,” on page 16 


Section 1.3, “Meeting System Requirements,” on page 18 


Section 1.4, “Minimum Space Requirements,” on page 18 


Section 1.5, “Installing Identity Manager on SLES 12 SP2 or Later Servers,” on page 19 


Section 1.6, “Installing Identity Manager on RHEL 7.3 or Later Servers,” on page 19 


1.1 Implementation Checklist 


Use the following checklist to plan, install, and configure Identity Manager. 


If you are upgrading from a previous version of Identity Manager, do not use this checklist. For 
information about upgrading, see Part IIl, “Upgrading Identity Manager,” on page 97. 


E 


1. 


Checklist Items 


Review the product architecture information to learn about Identity Manager components. For 
more information, see How Identity Manager Works in NetIQ Identity Manager Overview and 
Planning Guide - Work-In-Progress DRAFT. 


D 


Review the Identity Manager licensing information to determine whether you need to use the 
evaluation license or the enterprise license of Identity Manager. For more information, see 
Understanding Licensing and Activationin NetIQ Identity Manager Overview and Planning 
Guide - Work-In-Progress DRAFT. 


Ensure that the computers on which you install Identity Manager and its components meet the 
specified hardware and software requirements. For more information, see Section 1.3, 
“Meeting System Requirements,” on page 18. 


Determine the type of deployment suitable for your environment based on the features you 
want to implement. For more information, see Identity Manager Deployment Configurations in 
NetIQ Identity Manager Overview and Planning Guide - Work-In-Progress DRAFT. 


Review the latest Identity Manager release notes to understand the new functionality and the 
known issues. For more information, see the release notes at the Identity Manager 4.7 
documentation website (https://www.netiq.com/documentation/identity-manager-47/). 


Locate the files for installation. For more information, see Where to Get Identity Manager in 
NetIQ Identity Manager Overview and Planning Guide - Work-In-Progress DRAFT. 


Install Identity Manager. For more information, see Part Il, “Installing and Configuring Identity 
Manager Components,” on page 35. 


DOD oO DOD O 


(Conditional) To install Identity Manager engine as a non-root user, see Section 3.8, “Installing 
Identity Manager Engine as a Non-root User,” on page 46. 
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1.2 


1.2.1 


Checklist Items 


9. (Conditional) To install the Java Remote Loader, see Section 3.9, “Installing Java Remote 
Loader,” on page 49. 


10. Configure the installed components. For more information, see Chapter 4, “Configuring 
Identity Manager Engine, Identity Applications, and Identity Reporting,” on page 53. 


11. Perform additional configuration steps for the different components to be fully functional. For 
more information, see Chapter 5, “Final Steps for Completing the Installation,” on page 61 


12. (Conditional) To install Identity Manager in a cluster, ensure that your environment meets the 
requirements. For more information, Part V, “Deploying Identity Manager for High Availability,” 
on page 147. 


13. To understand the structure of the directory where the installation programs placed the 
installation files, see Section 3.10, “Understanding the Directory Structure,” on page 50 


14. For default installation locations, see Section 3.11, “Default Installation Locations,” on 
page 51. 


OU ODOC 


LJ 15. To determine what versions of Identity Manager components and subcomponents are 
installed, see Section 3.12, “Component Versions Installed,” on page 52. 


Recommended Installation Scenarios and Server 
Setup 


When you perform a standalone installation, you should install the components in a specific order and 
on specific servers. The installation programs for some components require information about 
previously installed components. 


This section helps you determine installation order and server types, according to specific scenarios 
for auditing and reporting. 
¢ Section 1.2.1, “Deciding When to Install SLM for IGA,” on page 16 


¢ Section 1.2.2, “Considerations for Installing in a Distributed Setup,” on page 17 


Deciding When to Install SLM for IGA 


Sentinel is the preferred audit event destination for Identity Manager. Identity Manager provides event 
forwarding capabilities to Sentinel by configuring Sentinel Link using Sentinel Event Source 
Management (ESM). If you are already using Sentinel for auditing or as an integration framework for 
tracking identities, you might choose to use your existing Sentinel for auditing events instead of 
installing SLM for IGA. 


Regardless of whether you choose to reuse your existing Sentinel server or perform a new 
installation of SLM for IGA shipped with Identity Manager, you must configure the Sentinel server as a 
source of audit data. You do this by creating a data synchronization policy on the Sentinel server in 
the Identity Manager Data Collection Services page for auditing events. For more information, see 
About the Data Sync Policies tab in the Administrator Guide to NetIQ Identity Reporting. 


If you perform a new installation of SLM for IGA, install the components in the following order: 


1. Identity Manager engine, drivers, and iManager plug-ins 
2. (Optional) iManager 


3. Designer 
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Identity Applications 
Identity Reporting 
(Optional) Analyzer 


pl Or Ole oe 


SLM for IGA or use an existing Sentinel installation 


1.2.2 Considerations for Installing in a Distributed Setup 


Review the following considerations to help you plan your installation: 


Component Stickiness 


Component 


Identity Manager 
Engine 


Identity Applications 


Identity Reporting 


Authentication Service 
(OSP) 


Password 
Management 
component (SSPR) 


Standalone Installation 


Can be installed on a separate server. 


Can be installed on a separate server. Identity Applications requires 
authentication service installed on the same server. 


Can be installed on a separate server. The installer supports a locally or a 
remotely installed authentication service for installing and upgrading Identity 
Reporting. 


No 


The installer does not support a remotely installed authentication service for the 
identity applications. 


Yes 


The installer supports a standalone installation and upgrade of the password 
management component. 


Identity Applications Yes 
Database 

Reporting Database Yes 
Sentinel Log Yes 


Management for IGA 


Server Setup 


In a typical production environment, you might install Identity Manager on seven or more 
servers, as well as on client workstations. For example: 


Computer setup 


All in One (Only recommended for demo /POC 


setup) 


Component setup 


Install and configure all components on one 
computer (Identity Manager Engine, Identity 
Applications, Identity Reporting, OSP, SSPR, 
Identity Applications Database, and Reporting 
Database) and Sentinel Log management for IGA 
on a separate computer. 


Distributed setup 
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Computer setup Component setup 


Server 1 ¢ Identity Vault 


+ Identity Manager Engine 


Server 2 Identity Applications and OSP (can be clustered) 
Server 3 Identity Reporting (OSP) 

Server 4 SSPR 

Servers 5 and 6 Identity Manager databases for: 


¢ Identity applications 


¢ Identity Reporting 


Server 7 Sentinel Log Management for IGA 


1.3 Meeting System Requirements 


An Identity Manager implementation can vary based on the needs of your IT environment, so you 
should contact NetIQ Consulting Services (https:/Awww.netiq.com/consulting/) or any of the NetIQ 
Identity Manager partners prior to finalizing the Identity Manager architecture for your environment. 


For information about the recommended hardware, supported operating systems, and supported 
virtual environments, see the NetIQ Identity Manager Technical Information website (https:// 
wwwstage.netig.com/products/identity-manager/advanced/technical-information/). 


For information about system requirements for a specific release, see the Release Notes 
accompanying the release at the Identity Manager documentation (https://www.netiq.com/ 
documentation/identity-manager-47/) website. 


1.4 Minimum Space Requirements 


Identity Manager requires minimum safe space required for installing different components. 


Path Minimum Safe Space Required 
/opt 10 GB 

Ivar 10 GB 

/etc 3 GB 


During installation ensure that the /tmp folder is mounted as exec, has a free space of 5 GB, and has 
write permissions. 
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1.5 


1.6 


1.6.1 


1.6.2 


Installing Identity Manager on SLES 12 SP2 or 
Later Servers 


+ Ensure that the unzip and bc RPMs are installed before installing Identity Manager. 


¢ (Conditional) When installing the Identity Manager components in a SLES 12 SP3 environment, 
ensure that the glibc-32bit -*x86_64.rpm is installed, where * denotes the latest version of 
the RPM. 


NOTE: NetIQ recommends you to obtain the dependent packages from your operating system 
subscription service to ensure continued support from your operating system vendor. If you do not 
have a subscription service, you can find the recent packages from a website such as http:// 
rpmfind.net/linux. 


Installing Identity Manager on RHEL 7.3 or Later 
Servers 


To install Identity Manager on a server running Red Hat Enterprise Linux 7.3 or later operating 
systems, ensure that the server meets a specific set of prerequisites. 


¢ Section 1.6.1, “Prerequisites,” on page 19 
¢ Section 1.6.2, “Running a Prerequisite Check,” on page 19 
¢ Section 1.6.3, “Ensuring that the Server has Dependent Libraries,” on page 20 


¢ Section 1.6.4, “Creating a Repository for the Installation Media,” on page 20 


Prerequisites 


NetIQ recommends that you review the following prerequisites: 


+ If you have a loopback address alias to the hostname of the system in an /etc/hosts entry, it 
must be changed to the hostname or IP address. That is, if you have an entry similar to the one 
below in your /etc/hosts file, it needs to be changed to the correct entry given in second 
example below. 


The following example has problems when any utility tries to resolve to the ndsd server: 
<loopback IP address> test-system localhost.localdomain localhost 
The following is a correct example entry in /etc/hosts: 


<loopback IP address> localhost.localdomain localhost 
<loopback IP address> test-system 


If any third-party tool or utility resolves through localhost, it needs to be changed to resolve 
through a hostname or IP address and not through the localhost address. 


¢ Install the appropriate libraries on the server. For more information, see Section 1.6.3, “Ensuring 
that the Server has Dependent Libraries,” on page 20. 


Running a Prerequisite Check 


You can generate a report of the missing prerequisites for each Identity Manager component. Run the 
./RHEL-Prerequisite.sh script located in the mount directory of the installation kit. 
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1.6.3 Ensuring that the Server has Dependent Libraries 


1.6.4 


On a 64-bit platform, the required libraries for RHEL vary according to your chosen method of 
installation. Install the dependent libraries or RPMs in the listed order. 


Ensure that the unzip and bc RPMs are installed before installing Identity Manager. 


NOTE: To add a ksh file, you can enter the following command: 


yum -y install ksh 


glibc-*.i686.rpm 
libstdc++-*.i686.rpm 
libgcc-*.i686.rpm 

compat -libstdc++-33-*.x86_64.rpm 
compat -libstdc++-33-*.1686.rpm 
libxXtst-*.i1686.rpm 

libXrender -*.i686.rpm 


Creating a Repository for the Installation Media 


If your RHEL 7.x server needs a repository for the installation media, you can manually create one. 


NOTE: Your RHEL server must have the appropriate libraries installed. For more information, see 
Section 1.6.3, “Ensuring that the Server has Dependent Libraries,” on page 20. 


To set up a repository for the installation: 


1 Create a mount point in your local server. 


Example: /mnt/rhel (mkdir -p /mnt/rhel) 
If you use an installation media, you can mount using the following command: 


# mount -o loop /dev/sr® /mnt/rhel 


OR 
Mount the RHEL 7 installation ISO to a directory like /mnt/rhel, using the following command: 


# mount -o loop RHEL7.x.iso /mnt/rhel 


Download RHEL 7.4 iso and mount the same. 
For example: mount -o loop <path_to_downloaded rhel*.iso> /mnt/rhel 


Copy the media. repo file from the root of the mounted directory to /etc/yum. repos.d/ and set 
the required permissions. 


For example: 


# cp /mnt/rhel/media.repo /etc/yum.repos.d/rhel7dvd. repo 
# chmod 644 /etc/yum.repos.d/rhel7dvd.repo 


4 Edit the new repo file by changing the gpgcheck=0 setting to 1 and add the following: 
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enabled=1 
baseurl=file:///mnt/rhel/ 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat -release 


In the end, the new repo file would look like the following (though the mediaid would be different 
depending on the RHEL version): 


[InstallMedia] 

name=DVD for Red Hat Enterprise Linux 7.1 Server 
mediaid=1359576196. 686790 

metadata_expire=-1 

gpgcheck=1 

cost=500 

enabled=1 

baseurl=file:///mnt/rhel 
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 


5 To install the 32-bit packages, change “exactarch=1” to “exactarch=0” in the /etc/yum. conf file. 


6 To install the required packages for Identity Manager on RHEL7.x, create an install.sh file and 
add the following contents to the file: 


#!/bin/bash 
yum clean all 
yum repolist 
yum makecache 


PKGS="ksh gettext.x86_64 libXrender.i686 libXau.i686 libxcb.i686 1ibX11.i686 
libXext.i686 1ibXi.i686 libXtst.i686 glibc.x86_64 libstdc++.i1686 
libstdc++.x86_64 libgcc.x86_64" 


for PKG in $PKGS; 

do 

yum -y install "$PKG" 
done 


NOTE: As the installation media does not contain compat -1libstdc++-33-*.i686.rpm and 
compat -libstdc++-33-*.x86_64.rpm. It needs to be downloaded from the Red Hat portal. 


Example: To install the compat -libstdc++-33-*.x86_64.rpm, run the following command: 


yum -y install compat-libstdc++-33-*.x86_64.rpm 


7 Run the install. sh file created in Step 6 or Step 5 depending on the RHEL version. 


8 To confirm if the prerequisites are met, run the RHEL-Prerequisite. sh script located in the 
mount directory of the installation kit. 


9 Install Identity Manager 4.7. 
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2.1 


Considerations for Installing Identity 
Manager Components 


This section provides the prerequisites, considerations, and system setup needed to install the 
Identity Manager components. 


+ 


+ 


+ 


+ 


Section 2.1, “Understanding the Installation and Configuration Process,” on page 23 

Section 2.2, “Considerations for Installing Identity Manager Engine Components,” on page 26 
Section 2.3, “Considerations for Installing Identity Applications Components,” on page 27 
Section 2.4, “Considerations for Installing Identity Reporting Components,” on page 30 
Section 2.5, “Considerations for Installing Designer,” on page 31 

Section 2.6, “Considerations for Installing Analyzer,” on page 32 


Section 2.7, “Considerations for Installing SLM for IGA,” on page 32 


Understanding the Installation and Configuration 
Process 


Identity Manager provides a scripted installation program installing and configuring Identity Manager 


engine, Identity Applications, and Identity Reporting in two separate phases. The installation phase 


installs the components. The configuration phase configures the Identity Manager components. Both 


installation and configuration scripts, install.sh and configure. sh, are located in the root of the 


. iso image file of the Identity Manager installation package. 


Depending on the Identity Manager Advanced or Standard Edition selected during installation, 
different components will be installed. For example, the following options are displayed when Identity 
Manager Advanced Edition is selected: 


+ 


+ 


+ 


Identity Manager Engine 

Identity Manager Remote Loader Service 
Identity Manager Fanout Agent 

iManager Web Administration 

Identity Reporting 

Identity Applications 
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Table 2-1 Installation Options 


Installation Option 


Identity Manager Engine 


Identity Manager Remote Loader 
Server 


Identity Manager Fanout Agent 


iManager Web Administration 


Installs 


Installs the Identity Vault, Identity Manager engine, and Identity 
Manager drivers. The installation process also installs Oracle JRE 
(JRE). 


If you want to install Identity Manager engine as a non-root user, see 
Section 3.8, “Installing Identity Manager Engine as a Non-root User,” on 
page 46. 


Installs the Remote Loader service and the driver instances in the 
Remote Loader. The Remote Loader allows you to run Identity Manager 
drivers on connected systems that do not host the Identity Vault and the 
Identity Manager engine. 


Installs the Fanout agent for the JDBC Fanout driver. The JDBC Fanout 
driver uses the FanOut agent to create multiple JDBC Fanout driver 
instances. The Fanout agent loads the JDBC driver instances based on 
the configuration of the connection objects in the Fanout driver. For 
more information, see Net/Q Identity Manager Driver for JDBC Fan-Out 
Implementation Guide. 


Installs the iManager Web Administration console and iManager plug- 
ins. 
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Installation Option Installs 


Identity Applications Installs several components that provide the underlying framework for 
the identity applications. 


+ Identity Manager Dashboard 

+ Identity Manager Administration Console 
+ User Application 

+ User Application driver (UAD) 


+ Role and Resource Service driver (RRSD) 


The installer internally installs an authentication service (OSP) to 
support single sign-on access to the identity applications and Identity 
Reporting. 


OSP supports the OAuth2 specification and requires an LDAP 
authentication server. By default, Identity Manager uses Identity Vault 
(eDirectory). OSP can communicate other types of authentication 
sources, or identity vaults, to handle the authentication requests. You 
can configure the type of authentication that you want OSP to use: 
userID and password, Kerberos, or SAML. However, OSP does not 
support MIT-style Kerberos or SAP login tickets. For more information 
about configuring authentication and single sign-on access, see 
Configuring Single Sign-on Access in Identity Manager in the NetIQ 
Identity Manager - Administrator’s Guide to the Identity Applications. 


The installer also installs a password management service (SSPR) that 
helps you configure Identity Manager to allow users to reset their 
passwords. 


The installation process also deploys the User Application driver and 
the Role and Resource Service driver to the Identity Vault. 


The installation process creates the Tomcat Service for the identity 
applications. To support the Tomcat application server, the installation 
program installs supported versions of JRE and Apache ActiveMQ. 
These items help Tomcat send email notifications. The installation 
program does not start Tomcat upon completion. If you have already 
installed JRE with the Identity Manager engine, you can point identity 
applications to the same copy of JRE. 


Identity Reporting Installs several components that provide the underlying framework for 
Identity Reporting. 


+ Identity Reporting 
+ Managed System Gateway driver (MSGW) 


+ Data Collection Service driver (DCS) 


The installation process creates the Tomcat Service for the reporting 
application. To support the Tomcat application server, the installation 
program installs a supported version of JRE. These items help Tomcat 
send email notifications. The installation program does not start Tomcat 
upon completion. If you have already installed JRE with the Identity 
Manager engine, you can point Identity Reporting to the same copy of 
JRE. 


You can configure the Identity Manager components immediately after the installation or configure 
them later. Identity Manager provides two configuration options: typical and custom. 
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2.2 


A typical configuration assumes default settings for most of the configuration options. In a custom 
configuration, you can specify custom values according to your requirement. You can configure most 
of the settings using this option. 


The installer provides an option to create a silent properties file in an interactive mode. You can 
record the installation options in the properties file and then use the file to run the silent installation on 
different servers in your environment. The silent installation program reads the values from the file to 
perform the installation. For details on the component-wise configuration, see Section 4.1, 
“Understanding the Configuration Parameters,” on page 53. 


NetIQ provides separate installation programs for Designer, Analyzer, and Sentinel for IGA. 
The installation program for SLM for IGA performs the following functions: 


¢ Installs and optionally configures the service 
+ Creates the user account that can perform administration tasks for the service (admin) 


+ Creates the database administrator account used by the service to interact with the database 
(dbauser) 


By default, the installation programs install the components in the default locations. For more 
information, see Section 3.11, “Default Installation Locations,” on page 51. 


Considerations for Installing Identity Manager 
Engine Components 


Review the following considerations before installing the Identity Manager engine, drivers, Remote 
Loader, Fanout Agent, and iManager Web Administration. 


+ The Identity Manager engine and iManager installation process requires the following minimum 
space requirements: 


Path Component Minimum Safe Space Required 
/opt Identity Manager Engine 3 GB 

/var Identity Manager Engine 5 GB for dib of 100,000 object 
/etc Identity Manager Engine 5 MB 

/opt iManager 700 MB 

/var iManager 3 GB 

/etc iManager 10 MB 


¢ Ensure that Identity Manager engine is installed before installing the Remote Loader. 


If you have installed Remote Loader without installing the Identity Manager engine, you must 
install novell-openss1-9.1.0-0.x86_64.rpm before you begin the configuration of Identity 
Manager engine. 


1. Navigate to the following location: 


<location where you have mounted the Identity_Manager_4.7_Linux.iso>/IDM/ 
packages/OpenSSL/x86_64/ 


2. Install the novell-openss1-9.1.0-0.x86_64.rpm using the following command: 
rpm -ivh novell-openssl-9.1.0-0.x86_64.rpm 
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¢ Install the Remote Loader on a server that can communicate with the managed systems. The 
driver for each managed system must be available with the relevant APIs. 


+ You can install the Remote Loader on the same computer where you installed the Identity 
Manager engine. 


+ You can install Java Remote Loader on platforms that do not support the native Remote Loader. 


+ NetIQ recommends that you use the Remote Loader configuration with your drivers where 
possible. Use the Remote Loader even in cases where the connected system is on the same 
server as the Identity Manager server engine. 


When you run the driver shim in the Remote Loader configuration, the following advantages 
apply: 
+ Memory and processing isolation between driver shims allows for better performance and 
monitoring of the Identity Manager solution. 


+ Patching and upgrading the driver shim does not impact Identity Vault or other drivers. 
+ Protects the Identity Vault from fatal issues that could occur in the driver shim. 
¢ Distributes the load from the driver shims to other servers. 


2.3 Considerations for Installing Identity Applications 
Components 


NetIQ recommends that you review the prerequisites and computer requirements for the identity 
applications before you begin the installation process. For more information about configuring the 
identity applications environment after installing the application components, see NetIQ Identity 
Manager - User’s Guide to the Identity Applications. 

¢ Section 2.3.1, “Installation Considerations for the Identity Applications,” on page 27 


¢ Section 2.3.2, “Configuring the Database for the Identity Applications,” on page 28 


2.3.1 Installation Considerations for the Identity Applications 


+ The Identity Applications installation process requires the following minimum space 
requirements: 


+ /opt-5 GB 
¢ /var - 100 MB 
Identity Applications require a supported version of the following Identity Manager components: 


+ 


¢ Identity Manager engine 
+ Remote Loader 
+ You can configure Identity Applications with the following database versions: 
+ PostgreSQL 9.6.6 (the installer installs this version by default) 
+ Oracle 12.2.0.1 (must be installed before starting the installation) 
+ MS SQL 2016 (must be installed before starting the installation) 


(Optional) NetIQ enables Secure Sockets Layer (SSL) protocol during the installation. To change 
the communication settings among the identity applications components in your environment, 
see Configuring Security in the Identity Applications in the NetIQ Analyzer for Identity Manager 
Administration Guide. 


+ 
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2.3.2 


+ You cannot use the Role and Resource Service Driver with the Remote Loader because the 
driver uses jClient. 


¢ The installation process places the program files in the /opt/netig/idm directory by default. If 
you plan to install the User Application in a non-default location, the new directory must meet the 
following requirements before you begin the installation process: 


+ The directory exists and is writable. 
+ The directory is writable by non-root users. 


+ Each User Application instance can service only one user container. For example, you can add 
users to, search, and query only the container associated with the instance. Also, a user 
container association with an application is meant to be permanent. 


+ (Optional) To retrieve authorizations from managed systems, install one or more of the Identity 
Manager drivers. 


+ You must use drivers supported by Identity Manager 4.6 or later. For more information about 
installing the drivers, see the appropriate driver guides in the NetIQ Identity Manager 
Drivers documentation website. 


+ To manage the drivers, you must have previously installed Designer or the appropriate plug- 
ins for iManager. The iManager plug-ins are packaged in the Identity Manager engine 
installation. 


Configuring the Database for the Identity Applications 


The database for the identity applications supports tasks such as storing configuration data and data 
for workflow activities. Before you can install the applications, the database must be installed and 
configured. 


The installation process installs PostgreSQL 9.6.6 for the identity applications and creates an 
administrative user called idmadmin to own the database. However, the installation does not create 
the schema in the database for the identity applications. Schema information gets added when you 
install the identity applications. 


If you are using a supported version of Oracle or Microsoft SQL Server for the database for identity 
applications, you must configure the database. 


Configuring an Oracle Database 


This section provides configuration options for using an Oracle database for the User Application. 


+ “Checking Compatibility Level of Databases” on page 28 
+ “Configuring the Character Set” on page 29 


+ “Configuring the Admin User Account” on page 29 


Checking Compatibility Level of Databases 


Databases from different releases of Oracle are compatible if they support the same features and 
those features perform the same way. If they are not compatible, certain features or operations might 
not work as expected. For example, creation of schema fails that does not allow you to deploy the 
identity applications. 


To check the compatibility level of your database, perform the following steps: 


1. Connect to the Database Engine. 
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2. After connecting to the appropriate instance of the SQL Server Database Engine, in Object 
Explorer, click the server name. 


3. Expand Databases, and, depending on the database, either select a user database or expand 
System Databases and select a system database. 


4. Right-click the database, and then click Properties. 
The Database Properties dialog box opens. 
5. Inthe Select a page pane, click Options. 
The current compatibility level is displayed in the Compatibility level list box. 
6. To check the Compatibility Level, enter the following in the query window and click Execute. 
SQL> SELECT name, value FROM v$parameter 
WHERE name = 'compatible'; 


The expected output is: 12.1.0.2 


Configuring the Character Set 


Your User Application database must use a Unicode-encoded character set. When creating the 
database, use AL32UTF8 to specify this character set. 


To confirm that your supported Oracle database is set for UTF-8, issue the following command: 
select * from nls_database_parameters; 
If the database is not configured for UTF-8, the system responds with the following information: 


NLS_CHARACTERSET 
WE8MSWIN1252 


Otherwise, the system responds with the following information that confirms the database is 
configured for UTF-8: 


NLS_CHARACTERSET 
AL32UTF8 


For more information about configuring a character set, see “Choosing an Oracle Database 
Character Set’. 


Configuring the Admin User Account 


The User Application requires that the Oracle database user account has specific privileges. In the 
SQL Plus utility, enter the following commands: 


CREATE USER idmuser IDENTIFIED BY password 
GRANT CONNECT, RESOURCE to idmuser 
ALTER USER idmuser quota 100M on USERS; 


where idmuser represents the user account. 


Configuring a SQL Server Database 


This section provides configuration options for using an SQL Server database for the User 
Application. 


+ “Configuring the Character Set” on page 30 


+ “Configuring the Admin User Account” on page 30 
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2.4 


2.4.1 


Configuring the Character Set 


SQL Server does not allow you to specify the character set for databases. The User Application 
stores SQL Server character data in a NCHAR column type, which supports UTF-8. 


Configuring the Admin User Account 


After installing Microsoft SQL Server, create a database and database user using an application such 
as SQL Server Management Studio. The database user account must have the following privileges: 


+ CREATE TABLE 
+ DELETE 
+ INSERT 
+ SELECT 
+ UPDATE 


NOTE: It is recommended to use JDBC JAR version sqljdbc42. jar. 


Considerations for Installing Identity Reporting 
Components 


This section provides guidance for preparing to install the components for Identity Reporting. You can 
use Sentinel to audit events. 


NetIQ recommends that you review the following information before starting the installation process. 


¢ Section 2.4.1, “Prerequisites for Identity Reporting,” on page 30 
¢ Section 2.4.2, “Identifying Audit Events for Identity Reporting,” on page 31 


Prerequisites for Identity Reporting 


¢ The installation process requires the following minimum space requirements: 
+ /opt -2GB 
+ /var - 2 GB 
¢ /etc -2 GB 


¢ The installation process requires a supported and configured version of the following Identity 
Manager components: 


¢ Identity applications, including the User Application driver (applicable only for Advanced 
Edition) 


¢ Sentinel Log Management for IGA installed on a separate Linux computer. 


¢ The installation process modifies JAVA_OPTs or CATALINA_OPTS entries for JRE mapping in the 
setenv.sh file for Tomcat. 


¢ Do not install Identity Reporting on a server in a clustered environment. 


¢ Torun reports against an Oracle database, you must ensure that you have copied the 
ojdbc8. jar. For more information, see Section 5.7.2, “Running Reports on an Oracle 
Database,” on page 84. 
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2.4.2 


2.5 


+ Assign the Report Administrator role to any users that you want to access reporting functionality 


¢ Ensure that all servers in your Identity Manager environment are set to the same time. If you do 
not synchronize the time on your servers, some reports might be empty when executed. For 
example, this issue can affect data related to new users when the servers hosting the Identity 
Manager engine and the warehouse have different time stamps. If you create and then modify a 
user, the reports are populated with data. 


Identifying Audit Events for Identity Reporting 


This section provides information on how to identify different audit events required for Identity 
Manager reports and custom reports. You can unzip all report sources and run the following script to 
identify the audit events: 


find . -name *.jrxml -printO |xargs -0 grep -H "'OOO[B3]" | perl -ne '($file) = / 
A\.\/(.*?)\//;@a = /000[3B]..../g; foreach $a (@a) { print "$file;$a\n"}' |sort -u 


The following section provides information on how to identify and select various audit events for 
identity Manager reports and custom reports: 


Event Name Audit Flag 


Authentication and Password Change Selecting Audit Flag using SSPR: Launch SSPR Configuration 
Editor > Audit Configuration > Select from the following audit 
flags: 

+ Authenticate 

+ Change Password 
+ Unlock Password 
+ Recover Password 
¢ Intruder Attempt 

¢ Intruder Lock 


+ Intruder Lock User 


Selecting Audit Flag using iManager: Go to iManager Roles and 
Tasks > eDirectory Auditing > > Audit Configuration > Novell 
Audit > Select from the following audit flags: 


+ Change Password 
+ Verify Password 
+ Login 

+ Logout 


All other reporting events Go to NetIQ Identity Manager UserApp > Administration > 
Logging > Enable audit service 


Considerations for Installing Designer 


¢ Before installing Designer on a supported SLES or RHEL server, you must install the GNU 
gettext utilities (gettext) on the server. These utilities provide a framework for internationalized 
and multilingual messages. 


+ (Conditional) On RHEL 7.4 system, you must install gtk2-2.24.31-1.e17.x86_64.rpm. 
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NOTE: NetIQ recommends you to obtain the dependent packages from your operating system 
subscription service to ensure continued support from your operating system vendor website. If you 
do not have a subscription service, you can find the recent packages from a website such as http:// 
rpmfind.net/linux. 


2.6 Considerations for Installing Analyzer 


+ 


+ 


Before installing Analyzer on a computer running SLES 12 SP3 operating system, ensure that 
the following libraries are installed: 


+ libswt3-gtk2-3.3.0-0.20.8.9mdv2008.0.i586.rpm 
+ libxcomposite1-0.4.1-1mdv2010.1.1i1586.rpm 

+ libgdk_pixbuf2.0_0-2.20.1-1mdv2010.1.i1586.rpm 
+ libgtk+-x11-2.0_0-2.12.1-2.1mdv2008.0.1586.rpm 
+ gettext (GNU gettext utilities) 


Before installing Analyzer on a computer running RHEL 7.3 or later platforms, ensure that the 
following libraries are installed on the computer: 


+ gtk2.i686.rpm. For example, you can download the package from the operating system 
vendor website. 


+ gettext (GNU gettext utilities) 


NOTE: NetIQ recommends you to obtain the dependent packages from your operating system 
subscription service to ensure continued support from your operating system vendor website. If 
you do not have a subscription service, you can find the recent packages from a website such as 
http://rpmfind.net/linux. 


Ensure that the computer running Analyzer has a video resolution of 1024x768 (1280x1025 
recommended). 


2.7 Considerations for Installing SLM for IGA 


Before installing SLM for IGA on a supported SLES or RHEL server, ensure that the following RPMs 
are installed on the server: 


+ 


+ 


+ 


+ 


+ 


bash 

bc 
coreutils 
gettext 
glibc 
grep 
libgcc 
libstdc 
lsof 
net-tools 
openssl 


python-libs 
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+ sed 
e zlib 
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Installing and Configuring Identity 
Manager Components 


This section guides you through the process of installing Identity Manager components. Before you 
start installation, evaluate how you want to implement Identity Manager. For more information, see 
Identity Manager Deployment Configurations in the NetIQ Identity Manager Overview and Planning 
Guide - Work-In-Progress DRAFT. For information about installing Identity Manager components, see 
Chapter 3, “Installing Identity Manager,” on page 37. 


After installing the Identity Manager engine, Identity Applications, and Identity Reporting, if you want 
to change any of the configuration settings for these components, you can run the configure.sh 
script to modify the settings. For more information, see Chapter 4, “Configuring Identity Manager 
Engine, Identity Applications, and Identity Reporting,” on page 53. 


After the Identity Manager components are installed and basic configuration has been completed, you 
must perform additional configuration steps for the different components to be fully functional. For 
more information, see Chapter 5, “Final Steps for Completing the Installation,” on page 61. 
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3.1 


Installing Identity Manager 


This section guides you through the process of installing Identity Manager. You must install the 
components in the below order: 


+ 


+ 


+ 


+ 


+ 


+ 


Identity Manager Engine 
Identity Applications 
Identity Reporting 
Designer 

Analyzer 


Sentinel Log Management for Identity Governance and Administration 


Installation Checklist 


Ensure that you have completed the following tasks before you start the installation: 


+ 


Verify that your hardware and software meet the system requirements listed Section 1.3, 
“Meeting System Requirements,” on page 18. 


If there was a previous installation of Identity Manager, ensure that there are no files or system 
settings remaining from a previous installation. For more information, see Chapter 13, 
“Uninstalling Identity Manager Components,” on page 165. 


If you plan to install the licensed version, obtain your license key from the NetIQ Customer Care 
Center (https://www.netiq.com/Support/default.asp). 


(Conditional) When installing components in a SUSE Linux Enterprise 12 SP2 or later servers, 
ensure that the server has the correct libraries. For more information, see Section 1.5, “Installing 
Identity Manager on SLES 12 SP2 or Later Servers,” on page 19. 


(Conditional) For computers running RHEL 7.3 or later, ensure that you have installed the 
appropriate set of libraries. For more information, see Section 1.6, “Installing Identity Manager 
on RHEL 7.3 or Later Servers,” on page 19. 


If you plan to install the licensed version, obtain your license key from the NetIQ Customer Care 
Center (https://www.netiq.com/Support/default.asp). 


Determine whether you can run the installation programs in your preferred language. For more 
information, see Understanding Identity Manager Localization in the NetIQ Identity Manager 
Overview and Planning Guide - Work-In-Progress DRAFT. 


Ensure that you have the files for installing Identity Manager. For more information, see Where to 
Get Identity Manager in the NetIQ Identity Manager Overview and Planning Guide - Work-In- 
Progress DRAFT. 


Ensure that you have the appropriate credentials required to install the Identity Manager 
components on your servers and the accounts that you might create during the installation. 


(Conditional) To install the Remote Loader on a server that does not host the Identity Manager 
engine, ensure that you can establish a secure connection to the engine. For more information, 
see Creating a Secure Connection to the Identity Manager Engine in the NetIQ Identity Manager 
Driver Administration Guide. 
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¢ Configure the installed components. For more information, see Chapter 4, “Configuring Identity 
Manager Engine, Identity Applications, and Identity Reporting,” on page 53. 


¢ (Conditional) To configure the single sign-on settings for the identity applications after 
installation, see Configuring Single Sign-on Access in Identity Manager in the NetIQ Identity 
Manager - Administrator’s Guide to the Identity Applications. 


+ Review the ports used by the Identity Manager components, see Understanding Identity 
Manager Communication in NetIQ Identity Manager Security Guide. 


3.2 Installing Identity Manager Engine 


The Identity Manager engine can be installed using the following methods: 


+ Performing an Interactive Installation 
+ Performing a Silent Installation 


3.2.1 Performing an Interactive Installation 


1 Download the Identity_Manager_4.7_Linux.iso from the NetlQ Downloads website. 
2 Mount the downloaded. iso. 
3 From the root directory of the .iso file, run the following command: 
./install.sh 
4 Read through the license agreement. 
5 Enter y to accept the license agreement. 


6 Decide the Identity Manager server edition you want to install. Enter y for Advanced Edition and 
n for Standard Edition. 


7 Select Identity Manager Engine and proceed with the installation. 


8 Configure the installed components. For more information, see Chapter 4, “Configuring Identity 
Manager Engine, Identity Applications, and Identity Reporting,” on page 53. 


3.2.2 Performing a Silent Installation 


1 Download the Identity_Manager_4.7_Linux.iso from the NetlQ Downloads website. 


2 Mount the downloaded. iso. 


w 


From the root directory of the .iso, run the following command: 
./create_silent_props.sh 

Enter y to confirm the creation of the file. 

To install JRE, enter y. 

To upgrade the existing Identity Manager components, enter y. 


N © of RA 


Decide the Identity Manager server edition you want to install. Enter y for Advanced Edition and 
n for Standard Edition. 


8 Select a configuration mode for the components. For more information, see Chapter 4, 
“Configuring Identity Manager Engine, Identity Applications, and Identity Reporting,” on page 53. 


9 Specify the components that you want to install. 


10 Run the following command to perform a silent installation: 
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./install.sh -s -f <location of the silent properties file> 
For example, 


./install.sh -s -f /mnt/silent.properties, where /mnt/silent.properties is the 
location where you stored the silent properties file. 


3.3 Installing Identity Applications 


Identity Applications can be installed using the following methods: 


¢ Performing an Interactive Installation 

+ Performing a Silent Installation 
If you want to install Identity Applications and SSPR on separate systems, the installer provides you 
an option to install SSPR separately. 

+ Performing an Interactive Installation of SSPR 


¢ Performing a Silent Installation of SSPR 


3.3.1 Performing an Interactive Installation 


1 Download the Identity_Manager_4.7_Linux.iso from the NetlQ Downloads website. 
2 Mount the downloaded. iso. 
3 From the root directory of the .iso file, run the following command: 
./install.sh 
4 Read through the license agreement. 
5 Enter y to accept the license agreement. 


6 Decide the Identity Manager server edition you want to install. Enter y for Advanced Edition and 
n for Standard Edition. 


7 Select Identity Applications and proceed with the installation. 


8 Configure the installed components. For more information, see Chapter 4, “Configuring Identity 
Manager Engine, Identity Applications, and Identity Reporting,” on page 53. 


3.3.2 Performing a Silent Installation 


1 Download the Identity_Manager_4.7_Linux.iso from the NetIQ Downloads website. 

2 Mount the downloaded. iso. 

3 From the root directory of the .iso, run the following command: 
./create_silent_props.sh 

4 Enter y to confirm the creation of the file. 

5 To install JRE, enter y. 


6 Decide the Identity Manager server edition you want to install. Enter y for Advanced Edition and 
n for Standard Edition. 


7 Select a configuration mode for the components. For more information, see Chapter 4, 
“Configuring Identity Manager Engine, Identity Applications, and Identity Reporting,” on page 53. 


8 Select Identity Applications and proceed with the installation. 
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9 Run the following command to perform a silent installation: 
./install.sh -s -f <location of the silent properties file> 
For example, 


./install.sh -s -f /mnt/silent.properties, where /mnt/silent.properties is the 
location where you stored the silent properties file. 


3.3.3 Performing an Interactive Installation of SSPR 


If you want to install Identity Applications and SSPR on a distributed environment, the installer 
provides you an option to install SSPR separately. 

Download the Identity_Manager_4.7_Linux.iso from the NetIQ Downloads website. 
Mount the downloaded. iso. 


From the root directory of the .iso file, navigate to the SSPR directory. 


bh OO N PF 


Run the following command: 
./install.sh 
Read through the license agreement. 


ol 


6 Enter y to accept the license agreement. 


7 Configure the installed components. For more information, see Chapter 4, “Configuring Identity 
Manager Engine, Identity Applications, and Identity Reporting,” on page 53. 


3.3.4 Performing a Silent Installation of SSPR 


1 Download the Identity_Manager_4.7_Linux.iso from the NetlQ Downloads website. 
2 Mount the downloaded. iso. 

3 From the root directory of the .iso file, navigate to the SSPR directory. 

4 Run the following command: 


./install.sh -s sspr_silentinstall.properties 


3.4 Installing Identity Reporting 


Identity Reporting can be installed using the following methods: 


¢ Performing an Interactive Installation 


¢ Performing a Silent Installation 


3.4.1 Performing an Interactive Installation 


1 Download the Identity_Manager_4.7_Linux.iso from the NetlQ Downloads website. 
2 Mount the downloaded. iso. 
3 From the root directory of the .iso file, run the following command: 
./install.sh 
4 Read through the license agreement. 


5 Enter y to accept the license agreement. 
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7 
8 


Decide the Identity Manager server edition you want to install. Enter y for Advanced Edition and 
n for Standard Edition. 


Specify Identity Reporting and proceed with the installation. 


Configure the installed components. For more information, see Chapter 4, “Configuring Identity 
Manager Engine, Identity Applications, and Identity Reporting,” on page 53. 


3.4.2 Performing a Silent Installation 


1 


Download the Identity_Manager_4.7_Linux.iso from the NetIQ Downloads website. 


2 Mount the downloaded. iso. 


3 From the root directory of the .iso, run the following command: 


./create_silent_props.sh 


4 Enter y to confirm the creation of the file. 


5 To install the JRE, enter y. 


6 Decide the Identity Manager server edition you want to install. Enter y for Advanced Edition and 


n for Standard Edition. 


Select a configuration mode for the components. For more information, see Chapter 4, 
“Configuring Identity Manager Engine, Identity Applications, and Identity Reporting,” on page 53. 


8 Specify Identity Reporting and proceed with the installation. 


9 Run the following command to perform a silent installation: 


./install.sh -s -f <location of the silent properties file> 
For example, 


./install.sh -s -f /mnt/silent.properties, where /mnt/silent.properties is the 
location where you stored the silent properties file. 


3.5 Installing Designer 


You can install Designer either in GUI or console mode. 


To install Designer: 


1 


Download the Identity_Manager_Linux_LDAP_Designer.tar.gz from the NetIQ Downloads 
website. 


2 Navigate to a directory where you want to extract the file. 


3 Run the following command: 


tar -zxvf Identity_Manager_Linux_LDAP_Designer.tar.gz 
Run one of the following commands to install Designer. 
Console: ./install 

GUI: ./install -i console 


Follow the prompts and proceed with the installation. 
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3.6 Installing Analyzer 


This section guides you through the process of installing Analyzer and configuring your environment 
for Analyzer. 


+ 


+ 


+ 


Section 3.6.1, “Using the Wizard to Install Analyzer,” on page 42 
Section 3.6.2, “Installing Analyzer Silently,” on page 43 
Section 3.6.3, “Adding XULrunner to Analyzer.ini,” on page 43 


Using the Wizard to Install Analyzer 


The following procedure describes how to install Analyzer on a Linux or Windows platform using an 
installation wizard, either in the GUI format or from the console. To perform a silent, unattended 
installation, see Section 3.6.2, “Installing Analyzer Silently,” on page 43. 


1 
2 


Log in as root or an administrator to the computer where you want to install Analyzer. 


(Conditional) If you have the .iso image file for the Identity Manager installation package, 
navigate to the directory containing the Analyzer installation files, located by default in the / 
Analyzer/packages directory. 


(Conditional) If you downloaded the Analyzer installation files, complete the following steps: 
3a Navigate to the .tgz or win. zip file for the downloaded image. 

3b Extract the contents of the file to a folder on the local computer. 

Execute the installation program: 

./install 


5 Follow the instructions in the wizard until you finish installing Analyzer. 


6 When the installation process completes, review the post-installation summary to verify the 


installation status and the location of the log file for Analyzer. 


7 Click Done. 
8 (Conditional) Complete the steps in Section 3.6.3, “Adding XULrunner to Analyzer.ini,” on 
page 43. 
9 (Optional) To configure role-based services for Analyzer on the Windows computer, open the link 


10 


to the gettingstarted.html website, located by default in the C:\Program Files 
(x86) \NetIQ\Tomcat\webapp\nps\help\en\install directory. 


You use iManager to configure the role-based services. 


To activate Analyzer, see Activating Analyzer in NetIQ Identity Manager Overview and Planning 
Guide - Work-In-Progress DRAFT. 
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Installing Analyzer Silently 


A silent (non-interactive) installation does not display a user interface or ask the user any questions. 
Instead, InstallAnywhere uses information from a default analzerInstaller.properties file. You 
can run the silent installation with the default file or edit the file to customize the installation process. 


By default, the installation program installs Analyzer in the Program Files (x86)\NetIQ\Analyzer 
directory. 
1 Log in as root or an administrator to the computer where you want to install Analyzer. 


2 (Conditional) If you have the .iso image file for the Identity Manager installation package, 
navigate to the directory containing the Analyzer installation files, located by default in the 
products/Analyzer/ directory. 


3 Conditional) If you downloaded the Analyzer installation files from the NetIQ Downloads website, 
complete the following steps: 


3a Navigate to the .tgz or win. zip file for the downloaded image. 
3b Extract the contents of the file to a folder on the local computer. 
4 (Optional) To specify a non-default installation path, complete the following steps: 


4a Open the analyzerInstaller.properties file, located by default in the products/ 
Analyzer/ directory. 


4b Add the following text to the properties file: 
USER_INSTALL_DIR=installation_path 


5 Torun the silent installation, issue one of the following commands: 
+ Linux: install -i silent -f analyzerInstaller.properties 
+ Windows: install.exe -i silent -f analyzerInstaller.properties 


6 Complete the steps in Section 3.6.3, “Adding XULrunner to Analyzer.ini,” on page 43. 


Adding XULrunner to Analyzer.ini 


Before running Analyzer on a Linux platform, you must change the XULRunner mapping. 


NOTE: The recommended version of XULrunner on SLED 11 is 1.9.0.19. On openSUSE 11.4, it is 
1.9.0.2. These versions are shipped with the operating systems. 


1 Navigate to the Analyzer installation directory, by default in the following locations: 
home/admin/analyzer 
2 Open the Analyzer . ini file in the gedit editor. 


3 Add the following line to the end of the list of the parameters: 
-Dorg.eclipse.swt.browser .XULRunnerPath=/usr/lib/xulrunner -1.9/ 


For example, the Analyzer .ini file should read as follows: 


Installing Identity Manager 43 


3.7 


3.7.1 


-vmargs 
-Xms256m 

-Xmx1024m 

-XX:MaxPermSize=128m 

-XX:+UseParallelGC 

-XX:ParallelGCThreads=20 

-XX:+UseParallel01dGC 

-Dorg.eclipse. swt.browser .XULRunnerPath=/usr/lib/xulrunner -1.9/ 


4 Save the Analyzer. ini file. 
5 Launch Analyzer. 


Installing Sentinel Log Management for Identity 
Governance and Administration 


You can install Sentinel Log Management for Identity Governance and Administration (IGA) by using 
the following methods: 
¢ Standard Installation 


+ Custom Installation 


Standard Installation 


1 Download the SentinelLogManagementForIGA8.1.1.0.tar.gz from the NetIQ downloads 
Website. 


2 Navigate to a directory where you want to extract the file. 
3 Run the following command to extract the file 
tar -zxvf SentinelLogManagementForIGA8.1.1.0.tar.gz 
4 Navigate to the SentinelLogManagement forIGA directory. 
5 To install SLM for IGA, run the following command: 
./install.sh 
6 Specify the language that you want to use for installation, then press Enter. 
7 Enter y to accept the license agreement. 
The installation might take a few seconds to load the installation packages. 
8 When prompted, specify 1 to proceed with the standard installation. 


Installation proceeds with the default evaluation license key included with the installer. At any 
time during or after the evaluation period, you can replace the evaluation license with a license 
key you have purchased. 


9 Specify the password for the administrator user admin. 
10 Confirm the password again. 


This password is used by admin, dbauser, and appuser. 


The installation finishes and the server starts. It might take a few minutes for all services to start after 
installation because the system performs a one-time initialization. Wait until the installation finishes 
before you log in to the Sentinel server. 


To access the SLM for IGA main interface, specify the following URL in your web browser: 


https://<IP_Address/DNS_SLM for IGA_server>:8443/sentinel/views/main. html 
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Where <IP_Address/DNS_SLM for IGA_server> is the IP address or DNS name of the SLM for IGA 
server and 8443 is the default port for the SLM for IGA server. 


3.7.2 Custom Installation 


1 Download the SentinelLogManagementForIGA8.1.1.0.tar.gz from the NetIQ downloads 
Website. 


2 Navigate to the directory where you want to extract the file. 
3 Run the following command to extract the file 
tar -zxvf SentinelLogManagementForIGA8.1.1.0.tar.gz 
4 Navigate to the SentinelLogManagement forIGA directory. 
5 Run the following command: 
./install.sh 
6 Enter y to accept the license agreement and continue with the installation. 
The installation might take a few seconds to load the installation packages. 
7 Specify 2 to perform a custom configuration of SLM for IGA. 
8 Enter 1 to use the default evaluation license key. 
or 
Enter 2 to enter a purchased license key for SLM for IGA. 
9 Specify the password for the administrator user admin and confirm the password again. 
10 Specify the password for the database user dbauser and confirm the password again. 


The dbauser account is the identity used by SLM for IGA to interact with the database. The 
password you enter here can be used to perform database maintenance tasks, including 
resetting the admin password if the admin password is forgotten or lost. 


11 Specify the password for the application user appuser and confirm the password again. 
12 Change the port assignments by entering the required number. 


For example, the default port for Web Server is 8443. To modify the port number for Web Server, 
specify 4. Enter the new port value for Web Server, for example, 8643. 


13 After you have changed the ports, specify 8 for done. 
14 Enter 1 to authenticate users using only the internal database. 
or 


If you have configured an LDAP directory in your domain, enter 2 to authenticate users by using 
LDAP directory authentication. 


The default value is 1. 
15 Enter n when you are prompted to enable FIPS 140-2 mode. 


16 Enter n when you are prompted to enable scalable storage. 


The installation finishes and the server starts. It might take few minutes for all services to start after 
installation because the system performs a one-time initialization. Wait until the installation finishes 
before you log in to the Sentinel server. 


To access the SLM for IGA main interface, specify the following URL in your web browser: 


https://<IP_Address/DNS_SLM for IGA_server>:<port>/sentinel/views/main. html 
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Where </P_Address/DNS_SLM for IGA_server> is the IP address or DNS name of the SLM for IGA 
server and <port> is the port for the SLM for IGA server. 


Installing Identity Manager Engine as a Non-root 
User 


You can install Identity Manager engine as a non-root user to enhance the security of your Linux 
server. You cannot install Identity Manager engine as a non-root user if you installed the Identity 
Vault as root. You need to perform the following steps if you want to install Engine as a non-root 
user: 

1. Ensure that NICI is installed. For more information, see “Installing NICI” on page 46. 


2. Perform a non-root installation of Identity Vault. For more information, see “Performing a Non- 
root Installation of Identity Vault” on page 46. 


3. Perform a non-root installation of Identity Manager Engine. For more information, see 
“Performing a Non-root Installation of Engine” on page 48. 


Installing NICI 


You must install NICI before you proceed with the Identity Vault installation. Since the required NICI 
packages are used system-wide, you are recommended to use the root user to install the necessary 
packages. However, if necessary you can delegate access to a different account using sudo and use 
that account to install the NICI packages. 
1 From the iso that you have mounted, navigate to the /IDVault/setup/ directory. 
2 Run the following command: 
rpm -ivh nici64-3.1.0-0.00.x86_64.rpm 


3 Verify that NICI is set to server mode. Enter the following command: 
/var/opt/novell/nici/set_server_mode 


This is a mandatory step to ensure that Identity Vault configuration does not fail. 


Performing a Non-root Installation of Identity Vault 


This section describes how to use the tarball to install the Identity Vault. When you extract the file, the 
system creates the etc, opt, and var directories. 


1 Log in as a sudo user with the appropriate rights to the computer where you want to install the 
Identity Vault. 


NOTE: You can also log in as a root user, when you want to specify a custom installation path. 


2 From the iso that you have mounted, navigate to the /IDVault/ directory. 


3 Create a new directory and copy the eDir_NonRoot.tar.gz file to that directory. For example, / 
home/user/install/eDirectory. 


4 Use the following command to extract the file: 
tar -zxvf eDir_NonRoot.tar.gz 


5 (Conditional) To manually export the paths for environment variables, enter the following 
command: 
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export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/eDirectory/ 
1i1b64:custom_location/eDirectory/opt/novell/eDirectory/1ib64/ndsmodules: 
custom_location/eDirectory/opt/novell1/1ib64:$LD_LIBRARY_PATH 


export PATH=custom_location/eDirectory/opt/novell/eDirectory/ 
bin:custom_location/eDirectory/opt/novell/eDirectory/sbin: /opt/novell/ 
eDirectory/bin:$PATH 


export MANPATH=custom_location/eDirectory/opt/novell/man:custom_location/ 
eDirectory/opt/novell/eDirectory/man:$MANPATH 


export TEXTDOMAINDIR=custom_location/eDirectory/opt/novell/eDirectory/ 
share/locale:$TEXTDOMAINDIR 


6 (Conditional) To use the ndspath script to export the paths for environment variables, you must 
prefix the ndspath script to the utility. Complete the following steps: 
6a From the custom_location/eDirectory/opt directory, run the utility with the following 
command: 


custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath 
utility_name_with_parameters 


6b Export the paths in the current shell with the following command: 
. custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath 


6c Run the utilities as normal. 


6d Add the instructions for exporting the path to the end of /etc/profile, ~/bashrc, or similar 
scripts. 


This step allows you to start the utilities directly whenever you log in or open a new shell. 
7 To configure the Identity Vault, complete one of the following steps: 


7a To run the ndsconfig utility, enter the following text at the command line: 


ndsconfig new [-t treename] [-n server_context] [-a admin_FDN] [-w 

admin password] [-i] [-S server_name] [-d path_for_dib] [-m module] [e] [-L 
idap_port] [-1 SSL_port] [-o http_port] -O https_port] [-p IP 
address:[port]] [-c] [-b port_to_bind] [-B interface1@porti, 
interface2@port2,..] [-D custom_location] [--config-file 
configuration_file] 


For example: 


ndsconfig new -t mary-tree -n novell -a admin.novell -S linux1i -d /home/ 
mary/insti/data -b 1025 -L 1026 -l 1027 -o 1028 -O 1029 -D /home/mary/ 
inst1/var --config-file /home/mary/inst1/nds.conf 


NOTE 


+ You must specify port numbers between 1024 and 65535. You cannot assume the 
default port 524 for any eDirectory applications. 
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This limitation on port specification might adversely affect the following types of 
applications: 


+ Applications that do not have an option to specify the target server port. 
¢ Older applications that use NCP, and run as root for 524. 


+ You can specify IPv6 addresses in the -B and -P options. To specify an IPv6 address, 
you must contain the address within square braces [ ]. For example, -B 
[2015: :4]@636. 


7b Use the ndsmanage utility to configure a new instance. 


Performing a Non-root Installation of Engine 


When you use this method, you cannot install the following components: 


+ 


+ 


Remote Loader: To install the Remote Loader as a non-root user, use the Java Remote 
Loader. For more information, see “Installing Java Remote Loader” on page 49. 


Linux Account Driver: Requires root privileges to function. 


NOTE: When you install Identity Manager engine as a non-root user, the installation files are located 
under the non-root users directory. For example, /home/user; where user is non-root. The installation 
files are not required to run Identity Manager. You can delete the files after installation. 


To install the Identity Manager engine as a non-root user: 


1 


Log in as the non-root user that you used to install the Identity Vault. 


The user account must have write access to the directories and files of the non-root Identity Vault 
installation. 


2 Navigate to the location where you have mounted the Identity_Manager_4.7_Linux. iso. 


3 From the mount location, navigate to the /IDM directory. 


4 Execute the following command: 


./idm-nonroot-install.sh 
Use the following information to complete the installation: 
Base Directory for the non-root eDirectory Installation 


Specify the directory where the non-root eDirectory installation is. For example, /home/ 
user/install/eDirectory. 


Extend eDirectory Schema 


If this is the first Identity Manager server installed in this instance of eDirectory, enter Y to 
extend the schema. If the schema is not extended, Identity Manager cannot function. 


You are prompted to extend the schema for each instance of eDirectory owned by the non- 
root user that is hosted by the non-root eDirectory installation. 


If you select to extend the schema, specify the full distinguished name (DN) of the 
eDirectory user who has rights to extend the schema. The user must have the Supervisor 
right to the entire tree to extend the schema. For more information about extending the 
schema as a non-root user, see the schema. log file that is placed in the data directory for 
each instance of eDirectory. 


Run the /opt/novell/eDirectory/bin/idm-install-schema program to extend the 
schema on additional eDirectory instances after the installation is complete. 
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6 To complete the installation process, continue to Section 5.9, “Completing a Non-root 
Installation,” on page 95. 


7 Activate Identity Manager. For more information, see <TBD - provide a link to the book where 
you will have the Activating Identity Manager section> 


8 To create and configure your driver objects, consult the specific guide for that driver. For more 
information, see Identity Manager Drivers documentation website. 


Installing Java Remote Loader 


In general, you install the Java Remote Loader, dirxml_jremote, on computers where the operating 
system is not compatible with the native Remote Loader. However, the Java Remote Loader can also 
run on the same servers where you might install the native Remote Loader. Identity Manager uses 
the Java Remote Loader to exchange data between the Identity Manager engine running on one 
server and the Identity Manager drivers running in another location, where rdxml1 does not run. You 
can install dirxml_jremote on any supported Linux computer with any publicly supported version of 
Java. 


1 On the server that hosts the Identity Manager engine, copy the application shim .iso or .jar 
files, located by default in the /opt/novell/eDirectory/lib/dirxml/classes directory. 

2 Log in to the computer where you want to install the Java Remote Loader (the target computer). 

3 Verify that the target computer has a supported version of JRE. 

4 To access the installation program, complete one of the following steps: 


4a (Conditional) If you have the .iso image file for the Identity Manager installation package, 
navigate to the directory containing the Java Remote Loader installation files, located by 
default in products/IDM/java_remoteloader. 


4b (Conditional) If you downloaded the Java Remote Loader installation files from the NetIQ 
Downloads website, complete the following steps: 


4b1 Navigate to the .tgz file for the downloaded image. 
4b2 Extract the contents of the file to a folder on the local computer. 


5 Copy the dirxml_jremote_dev. tar.gz file to the desired location on the target computer. For 
example, copy the file to /usr/idm. 


6 Copy one of the following files to the desired location on the target computer: 
+ dirxml_jremote.tar.gz 
+ dirxml_jremote_mvs.tar 


For information about mvs, untar the dirxml_jremote_mvs. tar file, then refer to the 
usage. html document. 


N 


On the target computer, unzip and extract the . tar .gz files. 


For example, enter gunzip dirxml_jremote.tar.gz or tar -xvf dirxml_jremote_dev.tar. 


oO 


Place the .iso or . jar files for the application shim that you copied in Step 1 in the dirxm1/ 
classes directory under the lib directory. 
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9 To customize the dirxml_jremote script so the Java executable is reachable through the 
RDXML_PATH environment variable, complete one of the following steps: 


9a Enter one of the following commands to set the environment variable RDXML_PATH: 
¢ set RDXML_PATH=path 
+ export RDXML_PATH 


9b Edit the dirxml_jremote script and prepend the path to the Java executable on the script 
line that executes Java. 


10 You must specify the location of the jar files in the dirxml_jremote script from the lib 
subdirectory of the untarred dirxml_jremote.tar.gz directory. For example, /1ib/*. jar. 


11 Configure the sample configuration file config8000.txt for use with your application shim. 


The sample file is located by default in the /opt/novell/dirxml/doc directory. For more 
information, see Chapter 5.1, “Configuring the Remote Loader and Drivers,” on page 61. 


3.10 Understanding the Directory Structure 


The installation process creates the following directory structure: 
+ /opt/netig directory is the starting point of your directory structure. Every other file and 
directory is under this directory. 


¢ common directory contains supporting software. This software is shared among the components 
that require them. 


¢ idm directory contains component-specific subdirectories that include binary files for installing 
and configuring the components. 
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/opt/netiq 


common 


openssl 


tomcat 


activemq 


postgres 


Default Installation Locations 


The installation process places the components in the following predefined locations: 


Identity Manager Components 


Identity Manager engine 
Remote Loader 

Fanout Agent 

Designer 

iManager 

User Application 

Identity applications 
Configuration Update utility 
Identity Reporting 

SLM for IGA 


Analyzer 


Default Installation Paths 


/opt/novell/eDirectory/lib/dirxml 
/opt/novell/dirxml/bin/x86_64 
/opt/novell/dirxml/fanoutagent 
/root/designer 
/var/opt/novell/iManager 
/opt/netiq/idm/apps/UserApplication 
/opt/netiq/idm/apps 
/opt/netiq/idm/apps/configupdate 
/opt/netiq/idm/apps/IDMReporting 
/opt/novell/sentinel 


/root/analyzer 
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IDMReporting 
UserApplication 


Configupdate 


sspr 
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Identity Manager Components Default Installation Paths 


Supporting Components 


Oracle JRE /opt/netiq/common/jre 
Apache Tomcat /opt/netiq/idm/tomcat 
PostgreSQL /opt/netiq/idm/postgres 
Apache ActiveMQ /opt/netiq/idm/activemgq 


The installation log files are generated in the /var/opt/netig/idm/log directory. 


3.12 Component Versions Installed 


The following versions of the components and the supporting software are available with this release: 


Identity Manager Components Version 
Identity Vault 9.1 


NOTE: If you are upgrading to Identity Manager 4.7, 
ensure that Identity Vault is upgraded to 9.1 version. 


Identity Manager engine, Remote Loader, Fanout Agent 4.7 


Designer 4.7 
iManager 351. 

One SSO Provider 6.2.1 
Self-Service Password Reset 4.2.0.4 
Identity applications 4.7 
Identity Reporting 6.0 

SLM for IGA 8.1.1.0 
Supporting Components Version 
Oracle Java Development Kit (JRE) 1.8.0_162 
Apache Tomcat 8.5.27 
PostgreSQL 9.6.6 
Apache ActiveMQ 5.15.2 
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Configuring Identity Manager Engine, 
Identity Applications, and Identity 
Reporting 


This section guides you through the process of configuring Identity Manager engine, Identity 
Applications, and Identity Reporting that you installed in Chapter 3, “Installing Identity Manager,” on 
page 37. 


You can perform the configuration in interactive (console) or in silent mode by running the 
configure. sh script from the root of the .iso image file of the Identity Manager installation package. 


You must review the configuration options for each component before beginning the configuration 
process. For more information, see Section 4.1, “Understanding the Configuration Parameters,” on 
page 53. 


Some components, such as Designer and Analyzer, might not require configuration. 


Understanding the Configuration Parameters 


This section defines the parameters that you need to specify to configure the Identity Manager 
installation. You can use the installation program to configure the components immediately after 
installing them or later. 


NOTE 


¢ If you configure Identity Applications and Identity Reporting in typical configuration mode, you 
cannot connect to a database installed on a different machine. 


¢ The installation process does not allow you to enable auditing. You must separately enable it for 
Identity Manager components. For more information, see NetIQ Identity Manager - Configuring 
Auditing in Identity Manager. 


Parameter Typical Configuration 


Identity Manager Engine 
Common password Specifies whether you want to set a common password. 


Identity Vault Administrator name Specifies the relative distinguished name (RDN) of the 
administrator object in the tree that has full rights, at least to the 
context to which this server is added. 


Identity Applications 
Common password Specifies whether you want to set a common password. 


Identity Vault Administrator name Specifies the relative distinguished name (RDN) of the 
administrator object in the tree that has full rights, at least to the 
context to which this server is added. 


Configuring Identity Manager Engine, Identity Applications, and Identity Reporting 53 


54 


Parameter 


Hostname (FQDN in lowercase) 


Application Server DNS/IP address 


Identity Applications administrator 
name 


Identity Reporting 
Common password 


Identity Vault Hostname/IP Address 


Identity Vault Administrator Name 


Identity Vault Administrator Password 


Hostname (FQDN in lowercase) 


Connect to an external One SSO 
server 


Application server DNS/IP address 
One SSO server DNS/IP address 
Identity Reporting One SSO Service 
password 

Identity Reporting Administrator name 


Identity Reporting database account 
password 


Parameter 


Identity Manager Engine 


Identity Vault Tree Name 


Identity Vault Administrator Name 


Typical Configuration 


Specifies the fully qualified distinguished name or the default IP 
address of the server. 


Specifies the IP address of the Tomcat server. 


Specifies the name of the administrator account for the identity 
applications. 


Specifies whether you want to set a common password. 


Specifies the IP address of the server where Identity Vault is 
installed. 


Specifies the relative distinguished name (RDN) of the 
administrator object in the tree that has full rights, at least to the 
context to which this server is added. 


Specifies the password for the Administrator object. For example, 
password. 


Specifies the fully qualified distinguished name or the default IP 
address of the server. 


Specifies whether you want to a connect to a different One SSO 
server. 


Specifies the IP address of the Tomcat server. 


Specifies the IP address of the server where single sign-on 
service is installed. 


Specifies the password for the authentication service for Identity 
Reporting. 


Specifies the administrator name for Identity Reporting. The 
default value is cn=uaadmin, ou=sa, o=data. 


Specifies the database account password for Identity Reporting. 


Custom Configuration 


Specifies a new tree for your Identity Vault. The tree name must 
meet the following requirements: 


+ The tree name must be unique in your network. 
+ The tree name must be 2 to 32 characters long. 


+ The tree name must contain only characters such as letters 
(A-Z), numbers (0-9), hyphens (-), and underscores (_). 


Specifies the relative distinguished name (RDN) of the 
administrator object in the tree that has full rights, at least to the 
context to which this server is added. 
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Parameter 


Identity Vault Administrator Password 


NDS var folder location 


NDS data location 


NCP Port 


LDAP non SSL port 


LDAP SSL port 


Identity Vault HTTP Port 


Identity Vault HTTPS Port 


NDS configuration file with path 


Identity Vault driver set name 


Identity Vault driver set deploy context 


Identity Applications 
Common password 


Hostname (FQDN in lowercase) 


Identity Vault Hostname/IP Address 


Identity Vault Administrator Name 


Identity Vault Administrator Password 


Application server DNS/IP address 


OSP custom login screen name 


Custom Configuration 


Specifies the password for the Administrator object. For example, 
password. 


Specifies the path of this Identity Vault instance on this server. 
The default path is /var/opt/novell/eDirectory. 


Specifies the path in the local system where you want to install 

the Directory Information Base (DIB) files. The DIB files are your 
Identity Vault database files. The default location is /var/opt/ 

novell/eDirectory/data/dib. 


Specifies the NetWare Core Protocol (NCP) port that the Identity 
Vault uses to communicate with the Identity Manager 
components. The default value is 524. 


Specifies the port on which the Identity Vault listens for LDAP 
requests in clear text. The default value is 389. 


Specifies the port on which the Identity Vault listens for LDAP 
requests using Secure Sockets Layer (SSL) protocol. The default 
value is 636. 


Specifies the port on which the HTTP stack operates in clear text. 
The default value is 8028. 


Specifies the port on which the HTTP stack operates using TLS/ 
SSL protocol. The default value is 8030. 


Specifies the location of the configuration file for Identity Vault. 
The default value is /etc/opt/novell/eDirectory/conf/ 
nds.conf. 


Specifies the name for a new Identity Manager driver set object. 


Specifies the LDAP DN of the container where you want to create 
the driver set object. 


Specifies whether you want to set a common password. 


Specifies the fully qualified distinguished name or the default IP 
address of the server. 


NOTE: Ensure that FQDN is specified in lower case. The server 
hosting your component must also be configured to use FQDN in 
lower case. 


Specifies the IP address of the server where Identity Vault is 
installed. 


Specifies the relative distinguished name (RDN) of the 
administrator object in the tree that has full rights, at least to the 
context to which this server is added. 


Specifies the password for the Administrator object. For example, 
password. 


Specifies the IP address of the Tomcat server. 


Specifies the name that will be displayed on the OSP login 
screen. 
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Parameter 


SSPR Configuration password 


OAuth keystore password 


User search container DN 


Admin search container DN 


Application Server HTTPS port 


One SSO server SSL port 


Identity Application One SSO Service 
password 


Identity Applications administrator 
name 


LDAP non SSL port 


Identity Vault driver set name 


Identity Vault driver set deploy context 


Database Platform 


Configure PostgreSQL on current 
server 


Identity Applications database port 


Identity Applications database name 


Identity Applications database user 
name 


Identity Application database JDBC jar 
file 


Create schema 


Create a new database or upgrade/ 
migrate from an existing database 


Custom Configuration 


Applies only if you have set the common password as No. 


Specifies the password for password management used by 
identity applications. 


Applies only if you have set the common password as No. 


Specifies the password that you want to create for loading the 
new keystore on the OAuth server. 


Specifies the default container for all user objects in the Identity 
Vault. 


Specifies the distinguished name of the container in the Identity 
Vault that contains any administrator User objects that the 
authentication service (OSP) must authenticate. For 

example, o=data. 


Specifies the HTTPS port that you want the Tomcat server to use 
for communication with client computers. The default value is 
8543. 


Specifies the port that you want the single sign-on service to use. 
The default value is 8543. 


Applies only if you have set the common password as No. 


Specifies the password for the single sign-on client used by 
identity applications. 


Specifies the name of the administrator account for the identity 
applications. 


Specifies the port on which the Identity Vault listens for LDAP 
requests in clear text. The default value is 389. 


Specifies the name of the driver set for Identity Vault. 


Specifies the LDAP DN of the container where you want to create 
the driver set object. 


Specifies the databases required for Identity Applications. 


Specifies if you want to configure PostgreSQL database on the 
same server. 


Specifies the database port for Identity Applications. 


Specifies the name of the database. The default value is 
idmuserappdb. 


Specifies the user name for the administrator of the database for 
the identity applications. 


Specifies the JAR file for the database platform. 


Indicates when you want to create the database schema as part 
of the installation process. The available options are Now, 
Startup, and File. 


Specifies whether you want to create a new database or upgrade 
from an existing database. 
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Parameter 


Use custom container as root 
container 


Custom container LDIF file path 


Root container 

Group search root container DN 
Identity Reporting 

Common password 


Hostname (FQDN in lowercase) 


Identity Vault Hostname/IP Address 


LDAP SSL port 


Identity Vault Administrator name 


Identity Vault Administrator password 
Connect to an external One SSO 
Server 

Application server DNS/IP address 


OSP custom login screen name 


User search container DN 


Admin search container DN 


Application Server HTTPS port 


One SSO server DNS/IP address 


Custom Configuration 


Specifies whether you want to use custom container as a root 
container. By default, the installer creates o=data and chooses it 
as a user container and assigns the password policies and 
required trustee rights. 


To create a custom container, choose Yes. 

Applies only if you have set the custom container as Yes. 
Specifies the path of the LDIF file for custom container. 
Specifies the root container. The default value is o=data. 


Specifies the DN of the group search root container. 


Specifies whether you want to set a common password. 


Specifies the fully qualified distinguished name or the default IP 
address of the server. 


NOTE: Ensure that FQDN is specified in lower case. The server 
hosting your component must also be configured to use FQDN in 
lower case. 


Specifies the IP address of the server where Identity Vault is 
installed. 


Specifies the port on which the Identity Vault listens for LDAP 
requests using Secure Sockets Layer (SSL) protocol. The default 
value is 636. 


Specifies the relative distinguished name (RDN) of the 
administrator object in the tree that has full rights, at least to the 
context to which this server is added. 


Specifies the password for the Administrator object. For example, 
password. 


Specifies whether you want to connect to an external SSO server 


Specifies the IP address of the Tomcat server. 


Specifies the name that will be displayed on the OSP login 
screen. 


Specifies the default container for all user objects in the Identity 
Vault. 


Specifies the distinguished name of the container in the Identity 
Vault that contains any administrator User objects that the 
authentication service (OSP) must authenticate. For 

example, o=data. 


Specifies the HTTPS port that you want the Tomcat server to use 
for communication with client computers. The default value is 
8543. 


Specifies the IP address of the server where single sign-on 
service is installed. 
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Parameter 


One SSO server SSL port 


OAuth Keystore Password 
Application Server Keystore Password 


Identity Reporting One SSO Service 
password 


Select the database platform for 
Identity Reporting 


Configure PostgreSQL on current 
server 


Identity Reporting database account 
password 


Create a new database or upgrade/ 
migrate from an existing database 


Identity Vault driver set name 


Identity Vault driver set deploy context 
Identity Reporting Administrator name 
Identity Reporting Administrator 
password 


Identity Reporting database name 


Identity Reporting database user 


Identity Reporting database host 


Identity Reporting database port 


Identity Application database JDBC jar 
file 


Custom Configuration 


Specifies the port that you want the single sign-on service to use. 
The default value is 8543. 


Specifies the OAuth keystore password. 
Specifies the keystore password for the application server. 


Specifies the password for the authentication service for Identity 
Reporting. 


Specifies the database that you want to use for Identity 
Reporting. 


Specifies if you want to configure PostgreSQL database on the 
same server. 


Specifies the database account password for Identity Reporting. 


Specifies whether you want to create a new database or upgrade 
from an existing database. 


Specifies the name of the driver set for Identity Vault. 


Specifies the LDAP DN of the container where you want to create 
the driver set object. 


Specifies the administrator name for Identity Reporting. The 
default value is cn=uaadmin, ou=sa, o=data. 


Specifies the administrator password for Identity Reporting. 


Specifies the database name for Identity Reporting. The default 
value is idmrptdb. 


Specifies the administration account that allows Identity 
Reporting to access and modify data in the databases. The 
default value is rptadmin. 


Specifies the DNS name or IP address of the server where the 
database has to be created. 


Specifies the port to connect to the database.The default port is 
5432. 


Specifies the JAR file for the database platform. 
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4.2.1 


Parameter 


Create schema 


Default email address 


SMTP Server 


SMTP Server port 


Create the MSGW and DCS drivers for 
Identity Reporting 


Custom Configuration 


Indicates when you want to create the database schema as part 
of the installation process. The available options are Now, 
Startup, and File. 


If you select the database schema creation option as Startup or 
File, you must manually add the datasource to the Identity Data 
Collection Services page. For more information, see 

Section 5.7.1, “Manually Adding the DataSource in the Identity 
Data Collection Services Page,” on page 84. 


If your database is running on a separate server, you must 
connect to that database. For a remotely installed PostgreSQL 
database, verify that the database is running. To connect to a 
remote PostgreSQL database, see Section 5.7.6, “Connecting to 
a Remote PostgreSQL Database,” on page 86. If you are 
connecting to an Oracle database, ensure that you have created 
an Oracle database instance. For more information, see Oracle 
documentation. 


If you select the database schema creation option as Startup or 
File, you must manually create the tables and connect to the 
database after the configuration. For more information, see 
Section 5.7.3, “Manually Generating the Database Schema,” on 
page 84. 


Specifies the email address that you want Identity Reporting to 
use as the origination for email notifications. 


Specifies the IP address or DNS name of the SMTP email host 
that Identity Reporting uses for notifications. 


Specifies the port number for the SMTP server. The default port 
is 465. 


Specifies whether you want to create the MSGW and DCS 
drivers. 


Performing Configuration 


You can perform the configuration in the following ways: 


+ Performing an Interactive Configuration 


+ Performing a Silent Configuration 


Performing an Interactive Configuration 


1 Navigate to the location where you mounted the Identity_Manager_4.7_Linux. iso file. 


2 Specify the following command at the command line to run the configure. sh script: 


./configure.sh 


3 Decide whether you want to perform a typical configuration or a custom configuration. The 
configuration options will vary based on the components that you select for configuration. 


4 To configure the components, use the information from Section 4.1, “Understanding the 
Configuration Parameters,” on page 53. 
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4.2.2 Performing a Silent Configuration 


1 Navigate to the location where you mounted the Identity_Manager_4.7_Linux. iso file. 
2 Torun the silent installation, execute the following command: 

./configure.sh -s -f <location of the silent properties file> 

For example, 


./configure.sh -s -f /mnt/silent.properties, where /mnt/silent.properties is the 
location where you stored the silent properties file. 


3 To configure the components, use the information from Section 4.1, “Understanding the 
Configuration Parameters,” on page 53. 
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5.1 


Final Steps for Completing the 
Installation 


After Identity Manager installs, you should configure the drivers you installed to meet the policies and 
requirements defined by your business processes. You also need to configure Sentinel Log 
Management for IGA to gather audit events. Post-installation tasks typically include the following 
items: 

¢ Section 5.1, “Configuring the Remote Loader and Drivers,” on page 61 

¢ Section 5.2, “Configuring the Settings for the Identity Applications,” on page 62 

¢ Section 5.3, “Creating Value Indexes for Identity Vault,” on page 82 

¢ Section 5.4, “Configuration and Usage Considerations for the Identity Applications,” on page 82 

¢ Section 5.5, “Specifying a Location for the Permission Index,” on page 83 

¢ Section 5.6, “Starting the Identity Applications,” on page 83 

¢ Section 5.7, “Configuring Identity Reporting,” on page 83 

¢ Section 5.8, “Configuring the Runtime Environment for Data Collection,” on page 87 


¢ Section 5.9, “Completing a Non-root Installation,” on page 95 


Configuring the Remote Loader and Drivers 


The Remote Loader can host the Identity Manager application shims contained in .so, or . jar files. 
The Java Remote Loader hosts only Java driver shims. It does not load or host a native (C++) driver 
shim. 


Before using the Remote Loader, you must configure the application shim to connect securely with 
the Identity Manager engine. You must also configure both the Remote Loader and Identity Manager 
drivers. For more information, see <Driver Admin Guide>. ADD REF 
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5.2 


5.2.1 


Configuring the Settings for the Identity 
Applications 


The Identity Applications Configuration utility helps you manage the settings for the User Application 
drivers and the identity applications. The installation program for the identity applications invokes a 
version of this utility so that you can more quickly configure the applications. You can also modify 
most of these settings after installation. 


The file to run the Configuration utility (configupdate.sh) is located by default in the /opt/netiq/ 
idm/apps/configupdate directory: 


NOTE 


¢ You should run the configudate.sh from the configupdate directory only. Running the 
configupdate.sh from a custom location will result in failures. 


¢ In a cluster, the configuration settings must be identical for all members of the cluster. 


This section explains the settings in the configuration utility. The settings are organized by tabs. If you 
install Identity Reporting, the process adds parameters for Reporting to the utility. 


¢ Section 5.2.1, “Running the Identity Applications Configuration Utility,” on page 62 
¢ Section 5.2.2, “User Application Parameters,” on page 63 

¢ Section 5.2.3, “Reporting Parameters,” on page 72 

¢ Section 5.2.4, “Authentication Parameters,” on page 74 

¢ Section 5.2.5, “SSO Clients Parameters,” on page 77 

¢ Section 5.2.6, “CEF Auditing Parameters,” on page 81 


Running the Identity Applications Configuration Utility 


1 In configupdate.sh.properties, ensure that the following options are configured correctly: 
edit_admin="true" 


use_console="false" 


NOTE: You should configure the value of -use_console to be true only if you want to run the 
utility in console mode. 

2 Save and close configupdate. sh. 

3 At the command prompt, perform the following command to run the configuration utility: 


./configupdate.sh 


NOTE: You might need to wait a few minutes for the utility to start up. 
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5.2.2 


User Application Parameters 


When configuring the identity applications, this tab defines the values that the applications use when 
communicating with the Identity Vault. Some settings are required for completing the installation 
process. 


By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This 
tab includes the following groups of settings: 

+ “Identity Vault Settings” on page 63 

+ “Identity Vault DNs” on page 64 

¢ “Identity Vault User Identity” on page 66 

+ “Identity Vault User Groups” on page 67 

+ “Identity Vault Certificates” on page 68 

+ “Email Server Configuration” on page 68 

+ “Trusted Key Store” on page 70 

+ “NetlQ Sentinel Digital Signature Certificate & Key” on page 70 

+ “Miscellaneous” on page 71 

+ “Container Object” on page 72 


Identity Vault Settings 


This section defines the settings that enable the identity applications to access the user identities and 
roles in the Identity Vault. Some settings are required for completing the installation process. 
Identity Vault Server 

Required 

Specifies the hostname or IP address for your LDAP server. For example: myLDAPhost. 


LDAP port 
Specifies the port on which the Identity Vault listens for LDAP requests in clear text. The default 
value is 389. 

LDAP secure port 


Specifies the port on which the Identity Vault listens for LDAP requests using Secure Sockets 
Layer (SSL) protocol. The default value is 636. 


If a service already loaded on the server (before you install eDirectory) uses the default port, you 
must specify a different port. 

Identity Vault Administrator 
Required 


Specifies the credentials for the LDAP Administrator. For example, cn=admin. This user must 
already exist in the Identity Vault. 


The identity applications use this account to make an administrative connection to the Identity 
Vault. This value is encrypted, based on the master key. 

Identity Vault Administrator Password 
Required 


Specifies the password associated the LDAP Administrator. This password is encrypted, based 
on the master key. 
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Use Public Anonymous Account 
Specifies whether users who are not logged in can access the LDAP Public Anonymous 
Account. 

Secure Administrator Connection 


Specifies whether RBPM uses SSL protocol for all communication related to the admin account. 
This setting allows other operations that do not require SSL to operate without SSL. 


NOTE: This option might have adverse performance implications. 


Secure User Connection 


Specifies whether RBPM uses TLS/SSL protocol for all communication related to the logged-in 
user's account. This setting allows other operations that do not require TLS/SSL to operate 
without the protocol. 


NOTE: This option might have adverse performance implications. 


Identity Vault DNs 


This section defines the distinguished names for containers and user accounts that enable 
communication between the identity applications and other Identity Manager components. Some 
settings are required for completing the installation process. 
Root Container DN 
Required 
Specifies the LDAP distinguished name of the root container. This is used as the default entity 
definition search root when no search root is specified in the directory abstraction layer. For 
example, o=mycompany. 
User Container DN 
Required 


When showing the advanced options, the utility displays this parameter under Identity Vault User 
Identity. 


Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the user container. 
The following considerations apply to this setting: 


¢ Users in this container (and below) are allowed to log in to the identity applications. 


+ If you have started Tomcat hosting the identity applications, you cannot change this setting 
with the configupdate. sh file. 


¢ This container must include the User Application Administrator that you specified as you set 
up the User Application driver. Otherwise, the specified account cannot execute workflows. 
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Group Container DN 
Required 


When showing the advanced options, the utility displays this parameter under Identity Vault User 
Groups. 


Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the group 
container. The following considerations apply to this setting: 


¢ Entity definitions within the directory abstraction layer use this DN. 
+ If you have started Tomcat hosting the identity applications, you cannot change this setting 
with the configupdate. sh file. 
User Application Driver 
Required 
Specifies the distinguished name of the User Application driver. 


For example, if your driver is UserApplicationDriver and your driver set is called myDriverSet, 
and the driver set is in a context of o=>myCompany, specify 
cn=UserApplicationDriver, cn=myDriverSet, o=myCompany. 


User Application Administrator 
Required 


Specifies an existing user account in the Identity Vault that has the rights to perform 
administrative tasks for the specified user container for User Application. The following 
considerations apply to this setting: 


+ If you have started Tomcat hosting the User Application, you cannot change this setting with 
the configupdate.sh file. 


+ To change this assignment after you deploy the User Application, use the Administration > 
Security pages in the User Application. 


+ This user account has the right to use the Administration tab of the User Application to 
administer the portal. 


+ Ifthe User Application Administrator participates in workflow administration tasks exposed 
in iManager, Designer, or the User Application (Requests & Approvals tab), you must grant 
this administrator appropriate trustee rights to object instances contained in the User 
Application driver. For more information, see the User Application Administration Guide for 
details. 


Provisioning Administrator 


Specifies an existing user account in the Identity Vault that will manage Provisioning Workflow 
functions available throughout the User Application. 


To change this assignment after you deploy the User Application, use the Administration > 
Administrator Assignments page in the User Application. 
Compliance Administrator 


Specifies an existing account in the Identity Vault that performs a system role to allow members 
to perform all functions on the Compliance tab. The following considerations apply to this setting: 


+ To change this assignment after you deploy the identity applications, use the 
Administration > Administrator Assignments page in the User Application. 


¢ During a configuration update, changes to this value take effect only if you do not have a 
valid Compliance Administrator assigned. If a valid Compliance Administrator exists, then 
your changes are not saved. 
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Roles Administrator 


Specifies the role that allows members to create, remove, or modify all roles, and grant or revoke 
any role assignment to any user, group, or container. It also allows its role members to run any 
report for any user. The following considerations apply to this setting: 


+ By default, the User Application Admin is assigned this role. 


+ To change this assignment after you deploy the identity applications, use the 
Administration > Administrator Assignments page in the User Application. 


+ During a configuration update, changes to this value take effect only if you do not have a 
valid Roles Administrator assigned. If a valid Roles Administrator exists, then your changes 
are not saved. 


Security Administrator 


Specifies the role that gives members the full range of capabilities within the Security domain. 
The following considerations apply to this setting: 


+ The Security Administrator can perform all possible actions for all objects within the Security 
domain. The Security domain allows the Security Administrator to configure access 
permissions for all objects in all domains within RBPM. The Security Administrator can 
configure teams, and also assign domain administrators, delegated administrators, and 
other Security Administrators. 


+ To change this assignment after you deploy the identity applications, use the 
Administration > Administrator Assignments page in the User Application. 
Resources Administrator 


Specifies the role that gives members the full range of capabilities within the Resource domain. 
The following considerations apply to this setting: 


+ The Resources Administrator can perform all possible actions for all objects within the 
Resource domain. 


+ To change this assignment after you deploy the identity applications, use the 
Administration > Administrator Assignments page in the User Application. 
RBPM Configuration Administrator 


Specifies the role that gives members the full range of capabilities within the Configuration 
domain. The following considerations apply to this setting: 


+ The RBPM Configuration Administrator can perform all possible actions on all objects within 
the Configuration domain. The RBPM Configuration Administrator controls access to 
navigation items within RBPM. In addition, the RBPM Configuration Administrator 
configures the delegation and proxy service, the provisioning user interface, and the 
workflow engine. 


+ To change this assignment after you deploy the identity applications, use the 
Administration > Administrator Assignments page in the User Application. 


RBPM Reporting Administrator 


Specifies the Reporting Administrator. By default, the installation program lists this value as the 
same user as the other security fields. 


Identity Vault User Identity 


This section defines the values that enable the identity applications to communicate with a user 
container in the Identity Vault. Some settings are required for completing the installation process. 


The utility displays these settings only when you select Show Advanced Options. 
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User Container DN 
Required 


When not showing the advanced options, the utility displays this parameter under Identity Vault 
DNs. 


Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the user container. 
The following considerations apply to this setting: 


+ Users in this container (and below) are allowed to log in to the identity applications. 


+ If you have started Tomcat hosting the identity applications, you cannot change this setting 
with the configupdate. sh file. 


+ This container must include the User Application Administrator that you specified as you set 
up the User Application driver. Otherwise, the specified account cannot execute workflows. 
User Search Scope 
Specifies the depth of scope that Identity Vault users can search the container. 


User Object Class 
Specifies the object class of the LDAP user. Usually the class is inetOrgPerson. 


Login Attribute 
Specifies the LDAP attribute that represents the user’s login name. For example, cn. 


Naming Attribute 
Specifies the LDAP attribute used as the identifier when looking up users or groups. This is not 
the same as the login attribute, which is used only during login. For example, cn. 

User Membership Attribute 


(Optional) Specifies the LDAP attribute that represents the user’s group membership. Do not use 
spaces when specifying the name. 


Identity Vault User Groups 


This section defines the values that enable the identity applications to communicate with a group 
container in the Identity Vault. Some settings are required for completing the installation process. 


The utility displays these settings only when you select Show Advanced Options. 


Group Container DN 
Required 


When not showing the advanced options, the utility displays this parameter under Identity Vault 
DNs. 


Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the group 
container. The following considerations apply to this setting: 


¢ Entity definitions within the directory abstraction layer use this DN. 
+ If you have started Tomcat hosting the identity applications, you cannot change this setting 
with the configupdate. sh file. 
Group Container Scope 
Specifies the depth of scope that Identity Vault users can search for the group container. 


Group Object Class 
Specifies the object class of the LDAP group. Usually the class is groupofNames. 
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Group Membership Attribute 
(Optional) Specifies the user’s group membership. Do not use spaces in this name. 


Use Dynamic Groups 
Specifies whether you want to use dynamic groups. 


You must also specify a value for Dynamic Group Object Class. 


Dynamic Group Object Class 
Applies only when you select Use Dynamic Groups. 


Specifies the object class of the LDAP dynamic group. Usually the class is dynamicGroup. 


Identity Vault Certificates 


This section defines the path and password for the JRE keystore. Some settings are required for 
completing the installation process. 
Keystore Path 

Required 


Specifies the full path to your keystore (cacerts) file of the JRE that Tomcat uses to run. You can 
manually enter the path or browse to the cacerts file. The following considerations apply to this 
setting: 


+ In environments, you must specify the installation directory of RBPM. The default value is 
set to the correct location. 


+ The installation program for the identity applications modifies the keystore file. On Linux, the 
user must have permission to write to this file. 
Keystore Password 
Required 


Specifies the password for the keystore file. The default is changeit. 


Email Server Configuration 


This section defines the values that enable email notifications, which you can use for email-based 
approvals. For more information, see “Enabling Support for Digital Signatures” in the NetIQ Identity 
Manager - Administrator’s Guide to the Identity Applications and “Manage Approvals by Email” in the 
Help for the Identity Applications. 

Notification Template Host 


Specifies the name or IP address of Tomcat that hosts the identity applications. For example, 
myapplication serverServer. 


This value replaces the $HOST$ token in e-mail templates. The installation program uses this 

information to create a URL to provisioning request tasks and approval notifications. 
Notification Template Port 

Specifies the port number of Tomcat that hosts the identity applications. 


This values replaces the $PORTS$ token in e-mail templates that are used in provisioning request 
tasks and approval notifications. 
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Notification Template Secure Port 
Specifies the secure port number of Tomcat that hosts the identity applications. 


This value replaces the $SECURE_PORTS$ token in e-mail templates used in provisioning 
request tasks and approval notifications. 


Notification Template Protocol 


Specifies a non-secure protocol included in the URL when sending user email. For example, 
http. 


This value replaces the $PROTOCOLS token in e-mail templates used in provisioning request 
tasks and approval notifications. 


Notification Template Secure Protocol 
Specifies the secure protocol included in the URL when sending user email. For example, https. 


This value replaces the $SECURE_PROTOCOLS$ token in e-mail templates used in provisioning 
request tasks and approval notifications. 


Notification SMTP Email From 


Specifies the email account that the identity applications use to send email notifications. 


SMTP Server Name 
Specifies the IP address or DNS name of the SMTP email host that the identity applications use 
for provisioning emails. Do not use localhost. 
Server requires authentication 
Specifies whether you want the server to require authentication. 
You must also specify the credentials for the email server. 


User name 
Applies only when you enable Server requires authentication. 
Specifies the name of a login account for the email server. 


Password 
Applies only when you enable Server requires authentication. 


Specifies the password of an login account for the mail server. 


Use SMTP TLS 
Specifies whether you want to secure the contents of email messages during transmission 
between the mail servers. 

Email Notification Image Location 
Specifies the path to the image that you want to include in email notifications. For example, 
http://localhost :8080/IDMProv/images. 

Sign email 
Specifies whether you want to add a digital signature to outgoing messages. 


If you enable this option, you must also specify settings for the keystore and signature key. 


Keystore Path 
Applies only when you enable Sign email. 


Final Steps for Completing the Installation 69 


70 


Specifies the full path to the keystore (cacerts) file that you want to use for digitally signing an 
email. You can manually enter the path or browse to the cacerts file. 


For example, /opt/netiq/idm/apps/jre/lib/security/cacerts. 


Keystore Password 
Applies only when you enable Sign email. 


Specifies the password for the keystore file. For example, changeit. 


Alias of signature key 
Applies only when you enable Sign email. 


Specifies the alias of the signing key in the keystore. For example, idmapptest. 


Signature key password 
Applies only when you enable Sign email. 


Specifies the password that protects the file containing the signature key. For example, 
changeit. 


Trusted Key Store 


This section defines the values for the trusted keystore for the identity applications. The utility 
displays these settings only when you select Show Advanced Options. 
Trusted Store Path 


Specifies the path to the Trusted Key Store that contains all trusted signers’ certificates. If this 
path is empty, the identity applications get the path from System property 
javax.net.ssl.trustStore. If the System property cannot provide the path, the installation 
program defaults to jre/lib/security/cacerts. 

Trusted Store Password 


Specifies the password for the Trusted Key Store. If you leave this field is empty, the identity 
applications gets the password from System property javax.net.ssl.trustStorePassword. If 
the System property cannot provide the path, the installation program defaults to changeit. 


This password is encrypted, based on the master key. 


Trusted Store Type 


Specifies whether the trusted store path uses a Java keystore (JKS) or PKCS12 for digital 
signing. 


NetlQ Sentinel Digital Signature Certificate & Key 


This section defines the values that allows Identity Manager to communicate with Sentinel for auditing 
events. The utility displays these settings only when you select Show Advanced Options. 
Sentinel Digital Signature Certificate 
Lists the custom public key certificate that you want the OAuth server to use to authenticate audit 
messages sent to Sentinel. 
Sentinel Digital Signature Private Key 


Specifies the path to the custom private key file that you want the OAuth server to use to 
authenticate audit messages sent to Sentinel. 
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Miscellaneous 


The utility displays these settings only when you select Show Advanced Options. 


OCSP URI 


Specifies the Uniform Resource Identifier (URI) to use when the client installation uses the On- 
Line Certificate Status Protocol (OCSP). For example, http: //host:port/ocspLocal. 


The OCSP URI updates the status of trusted certificates online. 


Authorization Config Path 


Specifies the fully qualified name of the authorization configuration file. 


Identity Vault Indexes 


After installation, you can modify manager, ismanager, and srvprvUUID attributes to point to a 
location of the indexes. The following considerations apply to this setting: 


+ Without indexes on these attributes, identity applications users can experience impeded 
performance of the identity applications. 


+ You can create these indexes manually by using iManager after you install the identity 
applications. 


+ The indexes must be in Online mode before you make the identity applications available to 
users. 


¢ To create or delete an index, you must also specify a value for Server DN. 
Server DN 
Applies only when you want to create or delete an Identity Vault index. 
Specifies the eDirectory server where you want the indexes to be created or removed. 


You can specify only one server at a time. To configure indexes on multiple eDirectory servers, 
you must run the RBPM Configuration utility multiple times. 


Reinitialize RBPM Security 


Specifies whether you want to reset RBPM security when the installation process completes. 
You must also redeploy the identity applications. 


IDMReport URL 


Specifies the URL of the Identity Manager Reporting Module. For example, http: // 
hostname: port/IDMRPT. 


Custom Themes Context Name 


Specifies the name of the customized theme that you want to use for displaying the identity 
applications in the browser. 


Log Message Identifier Prefix 


Specifies the value that you want to use in the layout pattern for the CONSOLE and FILE 
appenders in the idmuserapp_logging. xml file. The default value is RBPM. 


Change RBPM Context Name 
Specifies whether you want to change the context name for RBPM. 


You must also specify the new name and DN of the Roles and Resource driver. 
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RBPM Context Name 
Applies only when you select Change RBPM Context Name. 


Specifies the new context name for RBPM. 
Role Driver DN 
Applies only when you select Change RBPM Context Name. 


Specifies the DN of the Roles and Resource driver. 


Container Object 


These parameters apply only during installation. 
This section helps you to define the values for container objects or create new container objects. 


Selected 


Specifies the Container Object Types that you want to use. 


Container Object Type 
Specifies the container: locality, country, organizationalUnit, organization, or domain. 


You can also define your own containers in iManager and add them under Add a new Container 
Object. 


Container Attribute Name 
Specifies the name of the Attribute Type associated with the specified Container Object Type. 


Add a New Container Object: Container Object Type 


Specifies the LDAP name of an object class from the Identity Vault that can serve as a new 
container. 


Add a New Container Object: Container Attribute Name 


Specifies the name of the Attribute Type associated with the new Container Object Type. 


Reporting Parameters 


When configuring the identity applications, this tab defines the values for managing Identity 
Reporting. The utility adds this tab when you install Identity Reporting. 


By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This 
tab includes the following groups of settings: 

+ “Email Delivery Configuration” on page 73 

+ “Report Retention Values” on page 73 

e “Modify Locale” on page 74 


+ “Role Configuration” on page 74 
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Email Delivery Configuration 


This section defines the values for sending notifications. 


SMTP Server Hostname 


Specifies the DNS name or IP address of the email server than you want Identity Reporting to 
use when sending notification. Do not use localhost. 


SMTP Server Port 

Specifies the port number for the SMTP server. 
SMTP Use SSL 

Specifies whether you want to use TLS/SSL protocol for communication with the email server. 
Server Needs Authentication 

Specifies whether you want to use authentication for communications with the email server. 
SMTP User Name 

Specifies the email address that you want to use for authentication. 


You must specify a value. If the server does not require authentication, you can specify an invalid 
address. 


SMTP User Password 
Applies only when you specify that the server requires authentication. 
Specifies the password for the SMTP user account. 


Default Email Address 


Specifies the email address that you want Identity Reporting to use as the origination for email 
notifications. 


Report Retention Values 


This section defines the values for storing completed reports. 


Report Unit, Report Lifetime 


Specifies the amount of time that Identity Reporting keeps completed reports before deleting 
them. For example, to specify six months, enter 6 in the Report Lifetime field and then select 
Month in the Report Unit field. 


Location of Reports 


Specifies a path where you want to store the report definitions. For example, /opt/netiq/ 
IdentityReporting. 
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Modify Locale 


This section defines the values for the language that you want Identity Reporting to use. Identity 
Reporting uses the specific locales in searches. For more information, see the Administrator Guide to 
NetIQ Identity Reporting. 


Role Configuration 


This section defines the values for the authentication sources that Identity Reporting uses to generate 
reports. 


Add Authentication Source 


Specifies the type of authentication source that you want to add for reporting. Authentication 
sources can be 


+ Default 
+ LDAP Directory 
+ File 


Authentication Parameters 


When configuring the identity applications, this tab defines the values that Tomcat uses to direct 
users to the identity application and password management pages. 


By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This 
tab includes the following groups of settings: 

+ “Authentication Server” on page 74 

+ “Authentication Configuration” on page 75 

+ “Authentication Method” on page 75 

+ “Password Management” on page 76 

¢ “Sentinel Digital Signature Certificate and Key” on page 77 


Authentication Server 


This section defines settings for the identity applications to connect to the authentication server. 


OAuth server host identifier 
Required 
Specifies the relative URL of the authentication server that issues tokens to OSP. For example, 
192.168.0.1. 
OAuth server TCP port 
Specifies the port for the authentication server. 


OAuth server is using TLS/SSL 
Specifies whether the authentication server uses TLS/SSL protocol for communication. 
Optional TLS/SSL truststore file 


Applies only when you select OAuth server is using TLS/SSL and the utility is showing the 
advanced options. 
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Optional TLS/SSL truststore password 


Applies only when you select OAuth server is using TLS/SSL and the utility is showing the 
advanced options. 


Specifies the password used to load the keystore file for the TLS/SSL authentication server. 


NOTE: If you do not specify the keystore path and password, and the trust certificate for the 
authentication server is not in the JRE trust store (cacerts), the identity applications fail to 
connect to the authentication service that uses TLS/SSL protocol. 


Authentication Configuration 


This section defines settings for the authentication server. 


LDAP DN of Admins Container 
Required 
Specifies the distinguished name of the container in the Identity Vault that contains any 
administrator User objects that OSP must authenticate. For example, ou=sa, o=data. 

Duplicate resolution naming attribute 
Specifies the name of the LDAP attribute used to differentiate between multiple eDirectory User 
objects with the same cn value. The default value is mail. 

Restrict authentication sources to contexts 
Specifies whether searches in the user and administrator containers in the Identity Vault are 
restricted to only User objects in those containers or searches should also include 
subcontainers. 

Session Timeout (minutes) 
Specifies the number of minutes of inactivity in a session before the server times out the user’s 
session. The default value is 20 minutes. 

Access token lifetime (seconds) 
Specifies the number of seconds an OSP access token remains valid. The default value is 60 
seconds. 

Refresh token lifetime (hours) 


Specifies the number of seconds an OSP refresh token remains valid. The refresh token is used 
internally by OSP. The default value is 48 hours. 


Authentication Method 


This section defines the values that enable OSP to authenticate users who log in to the browser- 
based components of Identity Manager. 
Method 
Specifies the type of authentication that you want Identity Manager to use when a user logs on. 
+ Name and Password: OSP verifies authentication with the identity vault. 


+ Kerberos: OSP accepts authentication from both a Kerberos ticket server and the identity 
vault. You must also specify a value for Mapping attribute name. 


+ SAML 2.0: OSP accepts authentication from both a SAML identity provider and the identity 
vault. You must also specify values for Mapping attribute name and Metadata URL. 
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Mapping attribute name 
Applies only when you specify Kerberos or SAML. 
Specifies the name of the attribute that maps to the Kerberos ticket server or SAML 
representations at the identity provider. 
Metadata URL 
Applies only when you specify SAML. 
Specifies the URL that OSP uses to redirect the authentication request to SAML. 


Password Management 


This section defines the values that enable users to modify their passwords as a self-service 
operation. 
Password Management Provider 
Specifies the type of password management system that you want to use. 
User Application (Legacy): Uses the password management program that Identity Manager 
traditionally has used. This option also allows you to use an external password management 
program. 
Forgotten Password 
This check box parameter applies only when you want to use SSPR. 


Specifies whether you want users to recover a forgotten password without contacting a help 
desk. 


You must also configure the challenge-response policies for the Forgotten Password feature. For 
more information, see the NetIQ Self Service Password Reset Administration Guide. 

Forgotten Password 
This menu list applies only when you select User Application (Legacy). 


Specifies whether you want to use the password management system integrated with the User 
Application or an external system. 


+ Internal: Use the default internal Password Management functionality, ./j sps/pwdmgt/ 
ForgotPassword. jsp (without the http(s) protocol at the beginning). This redirects the user 
to the Forgot Password functionality built into the User Application, rather than to an 
external WAR. 


+ External: Use an e external Forgot Password WAR to call back the User Application 
through a web service. You must also specify the settings for the external system. 

Forgotten Password Link 

Applies only when you want to use an external password management system. 

Specifies the URL that points to the Forgot Password functionality page. Specify a 

ForgotPassword. jsp file in an external or internal password management WAR. 
Forgotten Password Return Link 

Applies only when you want to use an external password management system. 

Specifies the URL for the Forgot Password Return Link that the user can click after performing a 

forgot password operation. 
Forgotten Password Web Service URL 

Applies only when you want to use an external password management system. 
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Specifies the URL that the External Forgot Password WAR will use to call back to the User 
Application to perform core forgot password functionalities. Use the following format: 


https://<idmhost>:<sslport>/<idm>/ 
pwdmgt/service 


Sentinel Digital Signature Certificate and Key 


This section defines the values that allows Identity Manager to communicate with Sentinel for auditing 
events. 


Sentinel Digital Signature Certificate 


Specifies a custom public key certificate that you want the OSP server to use to authenticate 
audit messages sent to the audit system. 


For information about configuring certificates for Novell Audit, see “Managing Certificates” in the 
Novell Audit Administration Guide. 
Sentinel Digital Signature Private Key 


Specifies the path to the custom private key file that you want the OSP server to use to 
authenticate audit messages sent to the audit system. 


SSO Clients Parameters 


When configuring the identity applications, this tab defines the values for managing single sign-on 
access to the applications. 


By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This 
tab includes the following groups of settings: 


+ “IDM Dashboard” on page 77 

+ “IDM Administrator” on page 78 

+ “RBPM” on page 78 

+ “Reporting” on page 79 

+ “IDM Data Collection Service” on page 80 
+ “DCS Driver” on page 80 

¢ “Self Service Password Reset” on page 81 


IDM Dashboard 


This section defines the values for the URL that users need to access the Identity Manager 
Dashboard, which is the primary login location for the identity applications. 


Figure 5-1 IDM Dashboard 


IDM Dashboard 
OAuth client ID idmdash 


OAuthclientsecret 2 ts 


OSP Oauth redirect url https://192.168.0.1:3543/idmdash/oauth.html 
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OAuth client ID 
Required 


Specifies the name that you want to use to identify the single sign-on client for the Dashboard to 
the authentication server. The default value is idmdash. 


OAuth client secret 

Required 

Specifies the password for the single sign-on client for the Dashboard. 
OSP OAuth redirect URL 

Required 


Specifies the absolute URL to which the authentication server redirects a browser client when 
authentication is complete. 


Use the following format: protocol: //server:port/path. For example, https: // 
192.168.0.1:8543/idmdash/oauth. html. 


IDM Administrator 


This section defines the values for the URL that users need to access the Identity Manager 
Administrator page. 


OAuth client ID 
Required 


Specifies the name that you want to use to identify the single sign-on client for the Identity 
Manager Administrator to the authentication server. The default value is idmadmin. 


OAuth client secret 

Required 

Specifies the password for the single sign-on client for the Identity Manager Administrator. 
OSP OAuth redirect URL 

Required 


Specifies the absolute URL to which the authentication server redirects a browser client when 
authentication is complete. 


Use the following format: protocol: //server:port/path. For example, https: // 
192.168.0.1:8543/idmadmin/oauth. html. 


RBPM 


This section defines the values for the URL that users need to access the User Application. 


Figure 5-2 RBPM 


RBPM 
OAuth client ID rbpm 


OAuth client seeret 2 ttt 


URL link to landing page fidmdash/#/landing 


OSP Oauth redirect url https://192.168.0.1:8543/IDMProv/oauth 
RBPM to eDirectory SAML configuration No Change v 
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OAuth client ID 
Required 


Specifies the name that you want to use to identify the single sign-on client for the User 
Application to the authentication server. The default value is rbpm. 


OAuth client secret 

Required 

Specifies the password for the single sign-on client for the User Application. 
URL link to landing page 

Required 


Specifies the relative URL to use to access the Dashboard from the User Application. The 
default value is /landing. 


OSP OAuth redirect URL 
Required 


Specifies the absolute URL to which the authentication server redirects a browser client when 
authentication is complete. 


Use the following format: protocol: //server:port/path. For example, https: // 
192.168.0.1:8543/IDMProv/oauth. 


RBPM to eDirectory SAML configuration 
Required 
Specifies the RBPM to eDirectory SAML settings required for SSO authentication. 


Reporting 


This section defines the values for the URL that users need to access Identity Reporting. The utility 
display these values only if you add Identity Reporting to your Identity Manager solution. 


Figure 5-3 Reporting 


Reporting 


OAuth client ID rpt 


OAuth client seeret te 


URL link to landing page |fidmdash/#/landing 


URL link to Identity Governance 


OSP Oauth redirect url https://192.168.0.1:8543/IDMRPT/oauth.html 


OAuth client ID 
Required 


Specifies the name that you want to use to identify the single sign-on client for the Identity 
Reporting to the authentication server. The default value is rpt. 


OAuth client secret 
Required 


Specifies the password for the single sign-on client for Identity Reporting. 
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URL link to landing page 
Required 


Specifies the relative URL to use to access the Dashboard from Identity Reporting. The default 
value is /idmdash/#/landing. 


If you installed Identity Reporting and the identity applications in separate servers, then specify 
an absolute URL. Use the following format: protocol: //server:port/path. For example, 
https://192.168.0.1:8543/IDMRPT/oauth. 


OSP OAuth redirect url 
Required 


Specifies the absolute URL to which the authentication server redirects a browser client when 
authentication is complete. 


Use the following format: protocol: //server:port/path. For example, https: // 
192.168.0.1:8543/IDMRPT/oauth. 


IDM Data Collection Service 


This section defines the values for the URL that users need to access the Identity Manager Data 
Collection Service. 


OAuth client ID 
Required 


Specifies the name that you want to use to identify the single sign-on client for Identity Manager 
Data Collection Service to the authentication server. The default value is idmdcs. 


OAuth client secret 
Required 


Specifies the password for the single sign-on client for the Identity Manager Data Collection 
Service. 


OSP OAuth redirect URL 
Required 


Specifies the absolute URL to which the authentication server redirects a browser client when 
authentication is complete. 


Use the following format: protocol: //server:port/path. For example, https:// 
192.168.0.1:8543/idmdcs/oauth. html. 


DCS Driver 
This section defines the values for managing the Data Collection Services driver. 
Figure 5-4 

DCS Driver 

OAuth client ID | desdry 


OAuth client secret [ee 
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OAuth client ID 


Specifies the name that you want to use to identify the single sign-on client for the Data 
Collection Service driver to the authentication server. The default value for this parameter is 
dcsdrv. 


OAuth client secret 


Specifies the password for the single sign-on client for the Data Collection Service driver. 


Self Service Password Reset 


This section defines the values for the URL that users need to access SSPR. 
OAuth client ID 
Required 


Specifies the name that you want to use to identify the single sign-on client for SSPR to the 
authentication server. The default value is sspr. 


OAuth client secret 

Required 

Specifies the password for the single sign-on client for SSPR. 
OSP OAuth redirect URL 

Required 


Specifies the absolute URL to which the authentication server redirects a browser client when 


authentication is complete. 


Use the following format: protocol: //server:port/path. For example, https: // 
192.168.0.1:8543/sspr/public/oauth.html. 


CEF Auditing Parameters 


This section defines the values for managing the CEF auditing parameters for the single sign-on 
client. 


Send audit events 
Specifies whether you want to use CEF for auditing events. 
Destination host 
Specifies the DNS name or the IP address of the auditing server. 
Destination port 
Specifies the port of the auditing server. 
Network Protocol 
Specifies the network protocol used by the auditing server to receive CEF events. 
Use TLS 
Applies only when you want to use TCP as your network protocol. 


Specifies if the auditing server is configured to use TLS with TCP. 
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5.3 


5.4 


Intermediate event store directory 


Specifies the location of the cache directory before the CEF events are sent to the auditing 
server. 


NOTE: Ensure that the novlua permissions are set for the cache directory. Otherwise, you 
cannot access the IDMDash and IDMProv applications. Also, none of the OSP events will be 
logged in the cache directory. For example, you can change the permission and ownership of the 
directory using the chown novlua:novlua /<directorypath> command, where 
<directorypath> is the cache file directory path. 


Creating Value Indexes for Identity Vault 


The identity applications must be able to interact with the objects in your Identity Vault. To improve the 
performance of the identity applications, the eDirectory Administrator should create value indexes for 
the manager, ismanager and srvprvUUID attributes. Without value indexes on these attributes, the 
identity applications users can experience impeded performance, particularly in a clustered 
environment. 


You can create these value indexes after completing the identity applications installation using one of 
the following methods: 


+ iManager. Use Index Manager. For more information, see Creating an Index (https:// 
www.netig.com/documentation/edirectory-9/edir_admin/data/a5tuuu5.htmi#a5tuxxi) in the NetIQ 
eDirectory Administration Guide. 


¢ Configuration utility. Navigate to Miscellaneous and specify a value for Server DN in the Identity 
Vault Indexes setting. 


Configuration and Usage Considerations for the 
Identity Applications 


The following considerations apply to the configurations and initial usage of the identity applications. 


¢ Before users can access the identity applications, you must complete the following activities: 
+ Ensure that all necessary Identity Manager drivers are installed. 


+ Ensure that the indexes for the Identity Vault are in Online mode. For more information 
about configuring an index during installation, see “Miscellaneous” on page 71. 


+ Enable cookies on all browsers. The applications do not work when cookies are disabled. 


¢ During the installation process, the installation program writes log files to the installation 
directory. These files contain information about your configuration. After you configure your 
Identity Applications environment, you should consider deleting these log files or storing them in 
a secure location. During the installation process, you might choose to write the database 
schema to a file. Since this file contains descriptive information about your database, you should 
move the file to a secure location after the installation process is complete. 


+ (Conditional) To audit the identity applications, you must have the Identity Reporting and an 
auditing service installed in your environment and configured to capture the events. You must 
also configure the identity applications for auditing. 
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Specifying a Location for the Permission Index 


When you install the identity applications, the process creates a permission index for Tomcat. If you 
do not specify a location for the index, the installation creates a folder in a temporary directory. For 
example, /opt/netiq/idm/apps/tomcat/temp/permindex on Tomcat. 


In a test environment, the location usually does not matter. However, in a production or staging 
environment, you might not want to place the permission index in a temporary directory. 


To specify a location for the index: 


1 Stop Tomcat. 
2 In a text editor, open the ism-configuration. properties file. 
3 At the end of the file, add the following text: 
com.netiq.idm.cis.indexdir = path/permindex 
For example: 
com.netiq.idm.cis.indexdir = /opt/netiq/idm/apps/tomcat/temp/permindex 
4 Save and close the file. 


5 Delete the existing permindex folder in the temporary directory. 


6 Start Tomcat. 


To enable the permission index for clustering, see.Chapter 12, “Sample Identity Applications Cluster 
Deployment Solution on Tomcat Application Server,” on page 157. 


Starting the Identity Applications 


Ensure that you restart the Tomcat service and ActiveMQ service after you configure the Identity 
Applications. 


systemctl restart netig-tomcat 


systemctl restart netig-activemgq 


Configuring Identity Reporting 


After installing Identity Reporting, you can still modify many of the installation properties. To make 
changes, run the configuration update utility (configupdate. sh) file. 


If you change any setting for Identity Reporting with the configuration tool, you must restart Tomcat for 
the changes to take effect. However, you do not need to restart the server after making changes in 
the web user interface for Identity Reporting. 


è Section 5.7.1, “Manually Adding the DataSource in the Identity Data Collection Services Page,” 
on page 84 

¢ Section 5.7.2, “Running Reports on an Oracle Database,” on page 84 

¢ Section 5.7.3, “Manually Generating the Database Schema,” on page 84 

¢ Section 5.7.4, “Clearing the Database Checksums,” on page 85 

¢ Section 5.7.5, “Deploying REST APIs for Identity Reporting,” on page 86 

¢ Section 5.7.6, “Connecting to a Remote PostgreSQL Database,” on page 86 
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5.7.1 Manually Adding the DataSource in the Identity Data 
Collection Services Page 


. Log in to Identity Reporting application. 

. Click Data Sources. 

. Click Add. 

. Inthe Add Data Source dialog box, click the Select from predefined list radio button. 
. Select IDMDCSDataSource. 

. Click Save. 
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5.7.2 Running Reports on an Oracle Database 


Identity Reporting provides the ability to run reports against remote Oracle databases. Ensure that 
you have the ojbc.jar file on the server where you are running the Oracle Database. 


5.7.3 Manually Generating the Database Schema 


To manually generate the database schema after installation, perform one of the following procedures 
for your database: 


+ “Configuring Create_rpt_roles_and_schemas.sql Schema against PostgreSQL Database” on 
page 84 


+ “Configuring Create_rpt_roles_and_schemas.sql Schema against Oracle Database” on page 85 


Configuring Create_rpt_roles_and_schemas.sql Schema against 
PostgreSQL Database 


1 Add the required roles to the database using the create_dcs_roles_and_schemas.sql and 
create_rpt_roles_and_schemas.sql SQLs located in /mnt/reporting/sql. 


1. Login to PGAdmin as a postgres user. 
2. Run the Query tool. 


3. To create Create_rpt_roles_and_schemas and Create_dcs_roles_and_schemas 
procedures, copy the content from these SQLs to the Query tool and execute against the 
connected database. 


4. To create IDM _RPT_DATA, IDM_RPT_CFG, and IDMRPTUSER roles, execute the 
following commands in the given order: 


Select CREATE_DCS_ROLES_AND_SCHEMAS('<Set pwd for IDM_RPT_DATA>'); 


Select CREATE_RPT_ROLES_AND_SCHEMAS('<Set pwd for IDM_RPT_CFG>', '<Set pwd 
for IDMRPTUSER>’ ); 


5. To create IDM_RPT_DATA schema, copy the content of get_formatted_user_dn.sql 
from /mnt/reporting/sql to the Query tool and execute against the connected database. 
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Configuring Create_rpt_roles_and_schemas.sql Schema against 
Oracle Database 


1 Add the required roles to the database using create_dcs_roles_and_schemas-orcale.sql 
and create_rpt_roles_and_schemas-orcale.sql from /mnt/reporting/sql. 


1. Login in to SQL Developer as a database admin user. 


2. To create Create_rpt_roles_and_schemas and Create_dcs_roles_and_schemas 
procedures, copy the content from these SQLs to SQL Developer and execute against the 
connected database. 


3. To create IDM_RPT_DATA, IDM_RPT_CFG, and IDMRPTUSER roles, execute the 
following commands in the given order: 


begin 
CREATE_DCS_ROLES_AND_SCHEMAS('<Set pwd for IDM_RPT_DATA>'); 
end; 


begin 

CREATE_RPT_ROLES_AND_SCHEMAS('<Set pwd for IDM_RPT_CFG>', '<Set pwd for 
IDMRPTUSER>'); 

end; 


4. To create IDM_RPT_DATA schema, copy the content of get_formatted_user_dn- 
oracle.sql to SQL Developer from /mnt/reporting/sql and execute against the 
connected database. 


5.7.4 Clearing the Database Checksums 


1 Locate the following .sql files in /opt/netigq/idm/apps/IDMReporting/sql. 
+ DbUpdate-01-run-as-idm_rpt_cfg.sql 
+ DbUpdate-02-run-as-idm_rpt_cfg.sql 
+ DbUpdate-03-run-as-idm_rpt_data.sql 
+ DbUpdate-04-run-as-idm_rpt_data.sql 
¢ DbUpdate-05-run-as-idm_rpt_data.sql 
+ DbUpdate-06-run-as-idm_rpt_cfg.sql 
2 Clear the database checksums 
2a Torun the clearchsum command with each .sql, append the following line at the beginning 
of each file: 
update DATABASECHANGELOG set MD5SUM = NULL; 


The modified content should look similar to the following: 
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5.7.5 


5.7.6 


kkxkxkxkxkxkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkěkkkkkkkkkkkkkkk 


-- Update Database Script 
kkkkkkxkxkxkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkěkkkkkkkkkkkkkěkkěkkkkkkkkkk 

-- Change Log: IdmDcsDataDropViews. xml 

-- Ran at: 2/23/18 5:17 PM 

-- Against: IDM_RPT_CFG@jdbc: oracle: thin: @192.99.170.20:1521/orcl 


-- Liquibase version: 3.5.1 
kkkkkkxkxkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk 


update databasechangelog set md5sum = null; 


2b Run each .sql with the corresponding user. 


3 Commit the changes to the database. 


Deploying REST APIs for Identity Reporting 


Identity Reporting incorporates several REST APIs that enable different features within the reporting 
functionality. These REST API uses the OAuth2 protocol for authentication. 


On Tomcat, the rptdoc war and the dcsdoc war are automatically deployed when Identity Reporting 
is installed. 


Connecting to a Remote PostgreSQL Database 


If your PostgreSQL database is installed on a separate server, you need to change the default 
settings in the postgresql.conf and pg_hba.conf files in the remote database. 


1 Change the listening address in the postgresql. conf file. 


By default, PostgreSQL allows to listen for the localhost connection. It does not allow a remote 
TCP/IP connection. To allow a remoteTCP/IP connection, add the following entry to the /opt/ 
netiq/idm/postgres/data/postgresql.conf file: 


listen_addresses = '*' 


If you have multiple interfaces on the server, you can specify a specific interface to be listened. 
Add a client authentication entry to the pg_hba.conf file. 


By default, PostgreSQL accepts connections only from the localhost. It refuses remote 
connections. This is controlled by applying an access control rule that allows a user to log in from 
an IP address after providing a valid password (the md5 keyword). To accept a remote 
connection, add the following entry to the /opt/netiq/idm/postgres/data/pg_hba.conf file. 


host all all 0.0.0.0/0 md5 


For example, 192.168.104.24/26 trust 
This works only for IPv4 addresses. For IPv6 addresses, add the following entry: 


host all all ::0/0 md5 


If you want to allow connection from multiple client computers on a specific network, specify the 
network address in the CIDR-address format in this entry. 


The pg_hba.conf file supports the following client authentication formats. 
+ local database user authentication-method [authentication-option] 
+ host database user CIDR-address authentication-method [authentication-option] 
+ hostssl database user CIDR-address authentication-method [authentication-option] 


+ hostnossl! database user CIDR-address authentication-method [authentication-option] 
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Instead of CIDR-address format, you can specify the IP address and the network mask in 
separate fields using the following format: 


+ host database user IP-address IP-mask authentication-method [authentication-option] 
+ hostssl database user IP-address IP-mask authentication-method [authentication-option] 
+ hostnossl database user IP-address IP-mask authentication-method [authentication-option] 
3 Test the remote connection. 
3a Restart the remote PostgreSQL server. 


3b Log in to the server remotely using the username and password. 


5.8 Configuring the Runtime Environment for Data 
Collection 


This section provides information about additional configuration steps you should perform to ensure 
that the runtime environment is operating correctly. It also provides troubleshooting techniques, as 
well as some information about database tables that are of particular interest. 


This process includes the following activities: 


¢ Section 5.8.1, “Configuring the Data Collection Services Driver to Collect Data from the Identity 
Applications,” on page 87 

¢ Section 5.8.2, “Migrating the Data Collection Service Driver,” on page 88 

¢ Section 5.8.3, “Adding Support for Custom Attributes and Objects,” on page 90 

¢ Section 5.8.4, “Adding Support for Multiple Driver Sets,” on page 93 

¢ Section 5.8.5, “Configuring the Drivers to Run in Remote Mode with SSL,” on page 94 


If you have problems with one or more of the drivers that are difficult to understand, see 
“Troubleshooting the Drivers” in the NetIQ Identity Reporting Module Guide. 


5.8.1 Configuring the Data Collection Services Driver to Collect 
Data from the Identity Applications 


For the identity applications to function properly with Identity Reporting, you must configure the DCS 
driver to support the OAuth protocol. 


NOTE 
+ You only need to install and configure the DCS driver if you use Identity Reporting in your 
environment. 


¢ If you have multiple DCS drivers configured in your environment, you must complete the 
following steps for each driver. 


1 Log in to Designer. 
2 Open your project in Designer. 


3 (Conditional) If you have not already upgraded your DCS driver to the supported patch version, 
complete the following steps: 


3a Download the latest DCS driver patch file. 


3b Extract the patch file to a location on your server. 
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3c Ina terminal, navigate to the location of the extracted patch RPM for your environment and 
run the following command: 


rpm -Uvh novell-DXMLdcs.rpm 


3d Restart the Identity Vault. 


3e In Designer, ensure that you have installed a supported version of the Data Collection 
Service Base package. If necessary, install the latest version before continuing. For more 
information about software requirements, see the Section 2.4, “Considerations for Installing 
Identity Reporting Components,” on page 30. 


3f Redeploy and restart the DCS driver in Designer. 
In the Outline view, right-click the DCS driver, then select Properties. 


Click Driver Configuration. 


4 
5 
6 Click the Driver Parameters tab. 
7 Click Show connection parameters, then select show. 
8 Click SSO Service Support, then select Yes. 
9 Specify the IP address and port for the Reporting Module. 
10 Specify a password for the SSO Service Client. The default password is driver. 
11 Click Apply, then click OK. 
12 Inthe Modeler view, right-click the DCS driver, then select Driver > Deploy. 
13 Click Deploy. 
14 If prompted to restart the DCS driver, click Yes. 


15 Click OK. 


5.8.2 Migrating the Data Collection Service Driver 


For the objects to synchronize into the Identity Information Warehouse, you must migrate the Data 
Collection Service driver. 

1 Log in to iManager. 

2 In the Overview panel for the Data Collection Service Driver, select Migrate From Identity Vault. 


3 Select the organizations that contain relevant data, and click Start. 


NOTE: Depending on the amount of data that you have, the migration process could take 
several minutes. Be sure to wait until the migration process is complete before you proceed. 


4 Wait for the migration process to complete. 


5 Inthe idmrpt_identity and idmrpt_acct tables, which provide information about the identities and 
accounts in the Identity Vault, ensure they contain the following type of information: 


File Edit Yiew Tools Help 


29a 0|F|P |ime yi 


identity_id first_name last_name middle_initial full_name job_title department location email_addres office_phone cell_phone 
[PK] characte character varying(128) character varying(12 character var character var character var character var character var character var character var character var 

1 fi21028e9555eq Alison Blake Payroll Northeast pfredrickson@m (555) 555-1222 

2 05f6a12667734 Ned North Senior Physician Northeast pfredrickson@m (555) 555-1211 

3 1282ce7c69cb4 Fred Stats Purchasing Adm, Northeast pfredrickson@m (555) 555-1230, 

4 13bd8ba9F0494 Kevin Chester Benefits Adminis Northeast pfredrickson@n: (555) 555-1221 

5 13faf90666584 Ken Carson Attending Physi Northeast pfredrickson@m (555) 555-1315, 

6 1c886916cfd24: Jane Smith Administrative A Northeast pfredrickson@m (555) 555-1234 

7 lebe3fcbe7364 Application Administrator Of Sample Data 

8 24fd8b301bce4: Bill Burke Administrative A cn-loci pfredrickson@m (555) 555-1210. 

9 278698aace6b4 April Smith Nurse Northeast pfredrickson@m (555) 555-1319 

10 2d8df9981b1c4 Brad Jones Resident Physici Northeast pfredrickson@m (555) 555-1313 
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6 In the LDAP browser, verify that the migration process adds the following references for DirXML- 


Associations: 


+ For each user, verify the following type of information: 


EA LDAP Browser\Editor v2.8.2 


File Edit View LDIF Help 


malelalællblzlella]]| 


yaala 


? Ef ouzusers 
© EJ cn=ablake 
© EJ cn=achung 
© cJ cn=apalani 
© (4) cn=asmith 
© EJ cn=aspencer 
© CJ cn=bbender 
© CJ cn=bbrown 
© CJ cn=bburke 
© (4 cn=bjenner 
© EJ cn=bjones 
© EJ cn=chlack 
© CI cn=ccentral 
© cJ cn=cnano 
œ ©) cn=eeuro 
> c3 cn=fstats 
© CJ cn=jbrown 
o cJ cn=jkelley 
o cJ cn=jmiller 
© EJ cn=jsmith 
> c3 cn=jwest 
© C3 en=kearson 
© EJ cn=kchang 
© CJ cn=kchester 
© © cn=kkeller 


sampleDeviceDN 


passwordAllowChange 


Value 
ft 


6#entratcn=kcarson,ou=users,ou=medical-idmsample,o=novell#tloginScript 
6#entrtcn=kcarson,ou=users,ou=medical-idmsample,o=novell#printiobConfiguration 
en=Data Collection Service Driver,cn=TestDrivers,o=novell#1#C534DD67-DB1 9-4DD2-9482-67DD3AC519DB 
Ken 

BINARY (2Kb) 

kearson 

inetOrgPerson 

organizationalPerson 

Person 

ndsLoginProperties 

Top 

srvprvUserAux 

srvprvEntityAux 

homelnfo 

sampleUserDeviceAux 

test 

Active 

U811115 

medical 

cn=Medical Operations ou=groups,ou=medical-idmsample,o=novell 
cn=Physician,ou=groups,ou=medical-idmsample,o=novell 

kearson 

pfredrickson@novell.com 

kearson 

TRUE 

cn=kearson-laptop,ou=devices,ou=medical-idmsample,o=novell 


¢ For each group, verify the following type of information: 


? ci ouegroups 

C3 cn=Operations 
Ga cn=IT 

[4 cn=HR 

c cn=Medical 
c cn=Physiciat 
[4 cn=Nursing 
c cn=Pharmacy 
ou=users 

c cn=ablake 

© CI cn=achung 


erations 


<- 


Deere 


equivalentToMe 


cn=jsmith ou=users,ou=medical-idmsample,o=novell 
cn=jkelley,ou=users,ou=medical-idmsample,o=novell 
Operations 

groupOfNames 

Top 

cn=Data Collection Service Driver,cn=TestDrivers,o=novell#1#91539E44-6AF C-4676-D9A2-449E5391F CBA 
Operations 
ch=apalani,ou=users,au=medical-idmsample,o=novell 
cn=fstats,ou=users,ou=medical-idmsample,o=novell 
cn=rresource,au=users,qu=medical-idmsample,o=novell 
cn=jsmith,ou=users,ou=medical-idmsample,o=novell 
cn=jkelley,ou=users,ou=medical-idmsample,o=novell 


7 Ensure that the data in the idmrpt_group table appears similar to the following information: 


group_name group_desc ‘dynamic_gro! dynamic_rule nested_grouf idmrpt_valid_from /idmrpt_deleted 


character var character var boolean 


Pharmacy Pharmacy FALSE 
IT Information Tec FALSE 
HR Human Resource: FALSE 
Physician Physician FALSE 
Operations Operations FALSE 
Medical Operatic Medical Operatic FALSE 
Nursing Nursing FALSE 


character var 


idmrpt_syn_state 


boolean timestamp without tin boolean smallint 


FALSE 2010-07-07 21:28:11 FALSE 1 
FALSE 2010-07-07 21:28:11 FALSE 1 
FALSE 2010-07-07 21:28:11 FALSE 1 ly 
FALSE 2010-07-07 21:28:11 FALSE 1 
FALSE 2010-07-07 21:28:11 FALSE 

FALSE 2010-07-07 21:28:11 FALSE 1 
FALSE 2010-07-07 21:28:11 FALSE 1 


This table shows the name for each group, as well as flags indicating whether the group is 
dynamic or nested. It also shows whether the group has been migrated. The synchronization 
status (idmrpt_syn_state) could possibly be set to 0 if an object had been modified in the User 
Application but not yet migrated. For example, if a user were added to a group, and the driver 
had not been migrated yet, this value might be set to 0. 


8 (Optional) Verify the data in the following tables: 


¢ idmrpt_approver 
¢ idmrpt_association 
+ idmrpt_category 
¢ idmrpt_container 
+ 


idmrpt_idv_drivers 
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+ idmrpt_idv_prd 
+ idmrpt_role 

¢ idmrpt_resource 
+ idmrpt_sod 


9 (Optional) Verify that the idmrpt_ms_collect_state table, which shows information about the data 
collection state for the Managed System Gateway Driver, contains now rows. 


This table includes data about which REST endpoints for managed systems have been 
executed. At this point, the table has no rows because you have not started the collection 
process for this driver. 


Adding Support for Custom Attributes and Objects 


You can configure the Data Collection Service driver to gather and persist data for custom attributes 
and objects that are not part of the default data collection scheme. To do this, you need to modify the 
Data Collection Service driver filter. Modifying the filter does not trigger object synchronization 
immediately. Instead, the newly added attributes and objects are sent to the data collection services 
when add, modify, or delete events occur in the Identity Vault. 


When you add support for custom attributes and objects, you need to modify the reports in order to 
include the extended attribute and object information. The following views provide current and historic 
data on the extended objects and attributes: 

+ idm_rpt_cfg.idmrpt_ext_idv_item_v 

+ idm_rpt_cfg.idmrpt_ext_item_attr_v 
This process includes the following activities: 


+ “Configuring the Driver to Use Extended Objects” on page 90 
+ “Including a Name and Description in the Database” on page 91 


+ “Adding Extended Attributes to Known Object Types” on page 92 
Configuring the Driver to Use Extended Objects 
You can add any object or attribute to the Data Collection Service filter policy. When you add a new 


object or attribute, you need to make sure you map the GUID (with subscriber sync) and the Object 
Class (with subscriber notify), as shown in the following example: 
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<filter-class class-name="Device" publisher="ignore" publisher -create- 
homedir="true" publisher-track-template-member="false" subscriber="sync"> 
<filter-attr attr-name="CN" merge-authority="default" publisher="ignore" 
publisher -optimize-modify="true" subscriber="sync"/> 

<filter-attr attr-name="Description" merge-authority="default" publisher="ignore" 
publisher -optimize-modify="true" subscriber="sync"/> 

<filter-attr attr-name="GUID" merge-authority="default" publisher="ignore" 
publisher -optimize-modify="true" subscriber="sync"/> 

<filter-attr attr-name="Object Class" merge-authority="default" publisher="ignore" 
publisher -optimize-modify="true" subscriber="notify"/> 

<filter-attr attr-name="Owner" merge-authority="default" publisher="ignore" 
publisher -optimize-modify="true" subscriber="sync"/> 

<filter-attr attr-name="Serial Number" merge-authority="default" 
publisher="ignore" publisher -optimize-modify="true" subscriber="sync"/> 
<filter-attr attr-name="SampleDeviceModel" from-all-classes="true" merge- 
authority="default" publisher="ignore" publisher -optimize-modify="true" 
subscriber="sync"/> 

<filter-attr attr-name="SampleDeviceType" from-all-classes="true" merge- 
authority="default" publisher="ignore" publisher -optimize-modify="true" 
subscriber="sync"/> 

</filter-class> 


Including a Name and Description in the Database 


If you want the object to have a name and description in the database, you need to add a schema 
mapping policy for _dcsName and _dcsDescription. The schema mapping policy maps the attribute 
values on the object instance to the columns idmrpt_ext_idv_item.item_name and 
idmrpt_ext_idv_item.item_desc, respectively. If you do not add a schema mapping policy, the 
attributes will be populated in the child table idmrpt_ext_item_attr. 


For example: 


<attr-name class-name="Device"> 

<nds -name>CN</nds-name> 
<app-name>_dcsName</app-name> 
</attr-name> 

<attr-name class-name="Device"> 

<nds -name>Description</nds- name> 
<app-name>_dcsDescription</app-name> 
</attr-name> 


The following example of SQL allows you to show these object and attribute values in the database: 
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SELECT 

item.item_dn, 

item.item_name, 

item.item_desc, 

attr.attribute_name, 

itemAttr.attribute_value, 

item.idmrpt_deleted as item_deleted, 

itemAttr.idmrpt_deleted as attr_deleted, 

item.item_desc, 

obj .object_class 
FROM 

idm_rpt_data.idmrpt_ext_idv_item as item, idm_rpt_data.idmrpt_ext_item_attr 
itemAttr, idm_rpt_data.idmrpt_ext_attr as attr, idm_rpt_data.idmrpt_ext_obj as obj 
WHERE 

item.object_id = obj.object_id and itemAttr.attribute_id = attr.attribute_id 
and itemAttr.cat_item_id = item.item_id 
ORDER BY 

item.item_dn, item.item_name 


Adding Extended Attributes to Known Object Types 


If an attribute is added to the filter policy on the Data Collection Service driver and not explicitly 
mapped to the reporting database in the XML reference file (IdmrptIdentity. xml), the value is 
populated and maintained in the idmrpt_ext_item_attr table, with an attribute reference in the 
idmrpt_ext_attr table. 


The following example of SQL shows these extended attributes: 


SELECT 

acct.idv_acct_dn, 

attrDef.attribute_name, 

attribute_value, 

attrVal.idmrpt_valid_from, 

cat_item_attr_id, 

attrVal.idmrpt_deleted, 

attrVal.idmrpt_syn_state 
FROM 

idm_rpt_data.idmrpt_ext_item_attr as attrVal, idm_rpt_data.idmrpt_ext_attr as 
attrDef, idm_rpt_data.idmrpt_identity as idd, idm_rpt_data.idmrpt_idv_acct as acct 
WHERE attrVal.attribute_id = attrDef.attribute_id and idd.identity_id = 
acct.identity_id and attrVal.cat_item_id = acct.identity_id and cat_item_type_id = 
"IDENTITY' 


In addition to the User object, you can add extended attributes to the filter policy on the following 
objects and populate the database with these attributes: 

¢ nrfRole 

¢ nrfResource 


+ Containers 


NOTE: The installed product provides support for organizationUnit, Organization, and Domain. 
The container types are maintained in the idmrpt_container_types table. 


+ Group 
+ nrfSod 
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You can see the association of the extended attributes to the parent table or object by looking at the 
idmrpt_cat_item_types.idmrpt_table_name column. This column describes how to join the 
idm_rpt_data.idmrpt_ext_item_attr.cat_item_id column to the primary key of the parent table. 


Adding Support for Multiple Driver Sets 


The new Data Collection Service Scoping package (NOVLDCSSCPNG) provides static and dynamic 
scoping capabilities for enterprise environments with multiple driversets and multiple pairs of Data 
Collection Service Drivers and Managed System Gateway Drivers. 


During or after installation, you need to determine the role for the Data Collection Service Driver that 
the package is being installed on. You need to select one of the following roles: 


+ 


Primary The driver synchronizes everything except subtrees of other driver sets. A primary Data 
Collection Service Driver may well service a whole Identity Vault or it may work in conjunction 
with one or multiple secondary drivers. 


Secondary The driver synchronizes only its own driver set, but nothing else. A secondary Data 
Collection Service Driver usually requires a primary driver to run in a different driverset or no 
data outside the local driver set is sent to the Data Collection Service. 


If you use the integrated installation process to add a second server to the tree, the server 
receives only a copy of the root and its own driverset partition. If you also use the Data Collection 
Service Driver as primary on this secondary server, the driver cannot see object changes that it 
needs to report. 


Custom Allows the administrator to define custom scoping rules. The only implicit scope is the 
local driver set, everything else is considered out-of-scope, unless it is explicitly added to the list 
of custom scopes. Acustom scope is the distinguished name in slash format of a container in the 
Identity Vault whose subordinates or subtree should be synchronized. 


The scoping package is only required in some configuration scenarios, as described below: 


+ 


Single server with a single driver set Identity Vault: For this scenario, you do not need 
scoping, and, therefore, you do not need to install the scoping package. 


Multiple servers with a single driver set Identity Vault: For this scenario, you need to follow 
these guidelines: 


+ Make sure the Identity Manager server holds replicas of all partitions from which data 
should be collected. 


¢ For this scenario, no scoping is required, so do not install the scoping package 


Multiple servers with a multiple driver set Identity Vault: In this scenario, there are two basic 
configurations: 


¢ All servers hold a replica of all partitions from which data should be collected. 
For this configuration, you need to follow these guidelines: 


¢ Scoping is required to avoid the same change being processed by multiple DCS 
drivers. 


+ You need to install the scoping package on all DCS drivers. 
+ You need to select one DCS driver to be the Primary driver. 
+ You need to configure all other DCS drivers to be Secondary drivers. 
¢ All servers do not hold a replica of all partitions from which data should be collected. 
Within this configuration, there are two possible situations: 


¢ All partitions from which data should be collected are being held by only one Identity 
Manager server 
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In this case, you need to follow these guidelines: 


+ Scoping is required to avoid the same change being processed by multiple DCS 
drivers. 


+ You need to install the scoping package on all DCS drivers. 
+ You need to configure all DCS drivers to be Primary drivers. 


¢ All partitions from which data should be collected are not being held by only one 
Identity Manager server (some partitions are held by more than one Identity Manager 
server). 


In this case, you need to follow these guidelines: 


+ Scoping is required to avoid the same change being processed by multiple DCS 
drivers. 


+ You need to install the scoping package on all DCS drivers. 
+ You need to configure all DCS drivers to be Custom drivers. 


You need to define custom scoping rules for each driver and be sure not to create 
any overlapping scopes. 


5.8.5 Configuring the Drivers to Run in Remote Mode with SSL 


When running in remote mode, you can configure the Data Collection Service and Managed System 
Gateway drivers to use SSL. This section provides steps for configuring the drivers to run in remote 
mode with SSL. 


To configure SSL using a Keystore for the Managed System Gateway Driver: 


1 Create a server certificate in iManager. 
1a Inthe Roles and Tasks view, click NetIQ Certificate Server > Create Server Certificate. 


1b Browse to and select the server object where the Managed System Gateway Driver is 
installed. 


1c Specify a certificate nickname. 
1d Select Standard as the creation method, then click Next. 
le Click Finish, then click Close. 
2 Export the server certificate using iManager. 
2a In the Roles and Tasks view, click NetIQ Certificate Access > Server Certificates. 
2b Select the certificate created in Step 1 on page 94 and click Export. 
2c In the Certificates menu, select the name of your certificate. 
2d Ensure that Export private key is checked. 
2e Enter a password and click Next. 
2f Click Save the exported certificate, and save the exported pfx certificate. 
3 Import the pfx certificate exported in Step 2 on page 94 into the java key-store. 
3a Use the keytool available with Java. You must use JDK 6 or later. 


3b Enter the following command at a command prompt: 


keytool -importkeystore -srckeystore pfx certificate -srcstoretype 
PKCS12 -destkeystore Keystore Name 


For example: 
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keytool -importkeystore -srckeystore cert.pfx -srcstoretype PKCS12 
-destkeystore msgw. jks 


3c Enter the password when prompted to do so. 
4 Modify the Managed System Gateway Driver configuration to use the keystore using iManager. 


4a From Identity Manager Overview, click the driverset containing the Managed System 
Gateway Driver. 


4b Click on the driver state icon and select Edit properties > Driver configuration. 
4c Set Show Connection Parameters to true and set the Driver configuration mode to remote. 
4d Enter the complete path of the keystore file and the password. 
4e Save and restart the driver. 
5 Modify the Data Collection Service Driver configuration to use the keystore using iManager. 


5a From Identity Manager Overview, click the driverset containing the Managed System 
Gateway Driver. 


5b Click on the driver state icon and select Edit properties > Driver configuration. 


5c Under the Managed System Gateway Registration header, set Managed System Gateway 
Driver Configuration Mode to remote. 


5d Enter the complete path of the keystore, password and the alias enter in Step 1c on 
page 94. 


5e Save and restart the driver. 


Completing a Non-root Installation 


When you install the Identity Manager engine and plug-ins as a non-root user, the process perform 
all intended installation activities. This section guides you through the manual process required to 
complete the installation. 


Creating a Container for Password Policies 


Identity Manager requires password policy objects in the Identity Vault. However, the non-root 
installation process does not create a containerfor password policies. 
1 Log in to the Identity Manager tree in iManager. 


2 Navigate to the security container in eDirectory. 


Adding Support for Graphics in Email Notifications 


If you install the Identity Vault and the Identity Manager engine as anon-root user, email notifications 
might fail to include the graphics or images provided in the email template. For example, when 
running the do-send-email-from-template action, Identity Manager sends the email but the 
included images are blank. You must update the driverset to ensure graphic support. 

1 Log into your project in Designer. 

2 In the Outline pane, expand Identity Vault. 

3 Right-click Driver Set. 

4 Select Properties > Java. 


5 For JVM options, enter the following content: 
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-Dcom.novell.nds.dirxml.util.mail.templatepath=path_to_graphics_files 


For example: 


-Dcom.novell.nds.dirxml.util.mail.templatepath=/prod/eDirectory/opt/novell/ 
eDirectory/lib/dirxml/rules/manualtask/mt_files 
6 Click OK. 
7 Deploy the changes to the driverset: 
7a Right-click Driver Set. 
7b Select Live > Deploy. 
7c Select Deploy. 
8 Restart the Identity Vault. 
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Upgrading Identity Manager 


This section provides information for upgrading Identity Manager components. 
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6 Preparing to Upgrade Identity Manager 


6.1 


This section provides information to help you prepare for upgrading your Identity Manager solution to 
the latest version. To perform the upgrade, you must download and unzip or unpack the Identity 
Manager installation kit. 


¢ Section 6.1, “Checklist for Upgrading Identity Manager,” on page 99 


¢ Section 6.2, “Understanding Upgrade Process,” on page 101 


¢ Section 6.3, “Supported Upgrade Paths,” on page 101 


¢ Section 6.4, “Backing Up the Current Configuration,” on page 104 


Checklist for Upgrading Identity Manager 


To perform the upgrade, NetIQ recommends that you complete the steps in the following checklist. 


1. 


Checklist Items 


Understand the upgrade process. For more information, see Section 6.2, “Understanding 
Upgrade Process,” on page 101. 


Review the supported paths for upgrading Identity Manager to 4.7. For information about the 
supported upgrade paths, see Section 6.3, “Supported Upgrade Paths,” on page 101. 


Ensure that you have the installation kit to upgrade Identity Manager. For information about 
the supported upgrade paths, see Where to Get Identity Manager in the NetIQ Identity 
Manager Overview and Planning Guide - Work-In-Progress DRAFT. 
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Ensure that your computers meet the hardware and software prerequisites for a newer 
version of Identity Manager. For more information, see Section 1.3, “Meeting System 
Requirements,” on page 18 and the Release Notes for the version to which you want to 
upgrade. 


Back up the current project, driver configuration, and databases. For more information, see 
Section 6.4, “Backing Up the Current Configuration,” on page 104. 


Upgrade Designer to the latest version. For more information, see Section 7.2, “Upgrading 
Designer,” on page 107. 


Upgrade Sentinel Log Management for IGA to the latest version. For more information, see 
Section 7.6.3, “Upgrading Sentinel Log Management for IGA,” on page 123. 
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On the server running Identity Manager, upgrade Identity Vault (eDirectory) to 9.1. This is the 
first step in the Identity Manager engine upgrade process. For more information, see 
Section 7.3.1, “Upgrading the Identity Vault,” on page 108. 


Upgrading eDirectory stops ndsd, which in turn stops all drivers. For more information, see the 
NetIQ eDirectory Installation Guide. 


. Stop the drivers that are associated with the server where you installed the Identity Manager 


engine. For more information, see 
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Checklist Items 


LJ 10. 


Upgrade the Identity Manager engine. For more information, see Section 7.3, “Upgrading the 
Identity Manager Engine,” on page 108. 


NOTE: If you are migrating the Identity Manager engine to a new server, you can use the 
same the eDirectory replicas that are on the current Identity Manager server. For more 
information, see Section 10.4, “Migrating the Identity Manager Engine to a New Server,” on 
page 138. 


11. 


(Conditional) If any of the drivers in the driver set for the Identity Manager Engine are Remote 
Loader drivers, upgrade the Remote Loader servers for each driver. For more information, 
see Section 7.3.3, “Upgrading the Remote Loader,” on page 109. 


12. 


Upgrade iManager to 3.1. For more information, see Section 7.3.4, “Upgrading iManager,” on 
page 110. 


13. 


Update the iManager plug-ins to match the version of iManager. For more information, see 
“Updating iManager Plug-ins after an Upgrade or Re-installation” on page 112. 
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14. 


(Conditional) If you are using packages, upgrade the packages on the existing drivers to get 
new policies. For more information, see Section 7.4, “Upgrading the Identity Manager 
Drivers,” on page 112. 


This is only required if a newer version of a package is available and there is a new 
functionality included in the policies for a driver that you want to add to your existing driver. 


15. 


Upgrade the Identity Applications. For more information, see Section 7.5, “Upgrading Identity 
Applications,” on page 113. 


16. 


Upgrade Identity Reporting. For more information, see Section 7.6, “Upgrading Identity 
Reporting,” on page 122. 


17. 


Start the drivers associated with the Identity Applications and the Identity Manager engine. 
For more information, see <TBD - provide a link to the book where you will have Starting the 
Drivers section> 


18. 


(Conditional) If you migrated the Identity Manager engine or the identity applications to a new 
server, add the new server to the driver set. For more information, see Section 7.8, “Adding 
New Servers to the Driver Set,” on page 126. 


19. 


(Conditional) If you have custom policies and rules, restore your customized settings. For 
more information, see Section 7.9, “Restoring Custom Policies and Rules to the Driver,” on 
page 127. 


20. 


Upgrade Analyzer. For more information, see Section 7.7, “Upgrading Analyzer,” on 
page 126. 
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21. 


Activate your upgraded Identity Manager solution. For more information, see Activating 
Identity Manager in NetIQ Identity Manager Overview and Planning Guide - Work-In-Progress 
DRAFT. 
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6.2 Understanding Upgrade Process 


When you want to install a newer version of an existing Identity Manager installation, you usually 
perform an upgrade. However, when the new version of Identity Manager does not provide an 
upgrade path for your existing data, you must perform a migration. NetIQ defines migration as the 
process for installing Identity Manager on a new server, then migrating the existing data to this new 
server. 


During the product evaluation period or after activating Advanced Edition, you might want to switch 
to Standard Edition if you do not want Advanced Edition functionality in your environment. Identity 
Manager allows you to switch from Advanced Edition to Standard Edition by following a simple 
procedure. 


Switch From Advanced Edition to Standard Edition 


Identity Manager allows you to switch from Advanced Edition to Standard Edition during the 
product evaluation period or after activating Advanced Edition. 


IMPORTANT: If you have already applied Advanced Edition activation, you need not move to 
Standard Edition as all Standard Edition functionality is available in Advanced Edition. You must 
switch to Standard Edition only if you do not want any Advanced Edition functionality in your 
environment and want to scale down your Identity Manager deployment. For more information, 
see “Switching from Advanced Edition to Standard Edition” on page 129. 


6.3 Supported Upgrade Paths 


Identity Manager 4.7 includes support for upgrade from 4.6.x and 4.5.6 versions. Before starting the 
upgrade, NetIQ recommends that you review the information from the appropriate release notes for 
your current version. 

¢ Section 6.3.1, “Upgrading from Identity Manager 4.6.x Versions,” on page 101 


¢ Section 6.3.2, “Upgrading from Identity Manager 4.5.x Versions,” on page 103 


6.3.1 Upgrading from Identity Manager 4.6.x Versions 


The following table lists the component-wise upgrade paths for Identity Manager 4.6.x versions: 


Component Base Version Upgraded Version 

Identity Manager Engine 4.6.x 1. Upgrade the operating system to a 
supported version. 

2. Upgrade Identity Vault to 9.1. 


3. Upgrade Identity Manager Engine to 
4.7. 


Remote Loader/Fanout Agent | 4.6.x Install 4.7 Remote Loader/Fanout Agent 
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Component Base Version 


Designer 4.6.x 


Upgraded Version 


1. 
2. 


Install Designer 4.7. 


Convert your workspace from NCP to 
LDAP. 


Designer 4.7 is LDAP-based. Before 
using this version, see NetlQ Identity 
Manager LDAP Designer Release 
Notes. 


Identity Applications 4.6.x 


Before you upgrade Identity Applications, 
ensure that the Identity Vault and Identity 
Manager engine are upgraded to 9.1 and 
4.7 respectively. 


1. 


Upgrade the operating system to a 
supported version. 


Upgrade the database to a supported 
version. For the supported database 
versions, see Section 1.3, “Meeting 
System Requirements,” on page 18. 


. (Conditional) If SSPR is installed on a 


separate server, upgrade the 
component to 4.7 version. 


. Update the User Application driver 


and Roles and Resources driver 
packages. 


Upgrade Identity Applications to 4.7. 


6. Stop Tomcat. 


Identity Reporting 4.6.x 


. Upgrade the operating system to a 


supported version. 


Upgrade the database to a supported 
version. For more information about 
the supported database versions, see 
Section 1.3, “Meeting System 
Requirements,” on page 18. 


Upgrade SLM for IGA to a supported 
version. 


Update the Data Collection Services 
and Managed Services Gateway 
driver packages. 


5. Upgrade Identity Reporting 4.7. 


6. (Conditional) Create a data 


synchronization policy from the 
Identity Manager Data Collection 
Services page. 


Before starting the upgrade, NetIQ recommends that you review the information from the release 


notes for your version: 


+ NetIQ Identity Manager 4.6 Service Pack 2 Release Notes 
+ NetIQ Identity Manager 4.6 Service Pack 1 Release Notes 
+ NetIQ Identity Manager 4.6 Release Notes 
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Upgrading from Identity Manager 4.5.x Versions 


The following table lists component-wise upgrade paths for Identity Manager 4.5.x versions: 


Component 


Identity Manager 
Engine 


Base Version 


Identity Manager 
4.5.x (where x is 0 
to 5) with 
eDirectory 8.8.8.x 
(where x is 3 to 9) 


Intermediate Step 


Apply the 4.5.6 
patch 


Upgraded Version 
1. Upgrade the operating system to a 
supported version. 
2. Upgrade Identity Vault to 9.1. 


3. Upgrade Identity Manager Engine 
to 4.7. 


Remote Loader/ 


4.5.x, where x is 0 


Apply the 4.5.6 


Install 4.7 Remote Loader/Fanout Agent. 


Fanout Agent to5 patch 
Designer 4.5.x, where x is 0 Apply the 4.5.6 1. Install Designer 4.7. 
to5 patch 2. Convert your workspace from NCP 
to LDAP. 
Designer 4.7 is LDAP-based. 
Before using this version, see NetIQ 
Identity Manager LDAP Designer 
Release Notes. 
Identity 4.5.x, where x is 0 + Ifyou are Before you upgrade Identity Applications, 
Applications to5 using JBoss ensure that the Identity Vault and Identity 
or Manager engine are upgraded to 9.1 and 
Websphere, 4.7 respectively. 
migrate to i 
Tomcat 1. Upgrade the operating system to a 
application supported version. 
server. 2. Update the User Application driver 
* Apply the and Roles and Resources driver 
4.5.6 patch. packages. 
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3. Upgrade the database toa 
supported version. For the 
supported database versions, see 
Section 1.3, “Meeting System 
Requirements,” on page 18. 


4. (Conditional) If SSPR is installed on 
a separate server, upgrade the 
component to 4.7 version. 


5. Upgrade Identity Applications to 
4.7. 


6. Stop Tomcat. 
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Component Base Version Intermediate Step | Upgraded Version 


Identity Reporting 4.5.x, where x is 0 + Ifyou are 1. Upgrade the operating system to a 
to 5 using JBoss supported version. 
or 2. Upgrade the database to a 
Websphere, supported version. For more 
migrate to information about the supported 
Tomcat database versions, see Section 1.3, 
application “Meeting System Requirements,” on 
server. page 18. 
* Apply the 3. Migrate Event Auditing Service data 

4.5.6 patch. to a supported version of 


PostgreSQL or Oracle database. 
4. Install SLM for IGA. 


5. Update the Data Collection 
Services and Managed Services 
Gateway driver packages. 


6. Migrate Identity Reporting to 4.7. 
For more information, see 
Section 10.7, “Migrating Identity 
Reporting,” on page 142. 


7. (Conditional) Create data 
synchronization policy from the 
Identity Manager Data Collection 
Services page. 


Before starting the upgrade, NetIQ recommends that you review the information from the release 
notes for your version: 

+ NetIQ Identity Manager 4.5 Service Pack 6 Release Notes 

+ NetIQ Identity Manager 4.5 Service Pack 5 Release Notes 

+ NetIQ Identity Manager 4.5 Service Pack 4 Release Notes 

+ NetIQ Identity Manager 4.5 Service Pack 3 Release Notes 

+ NetIQ Identity Manager 4.5 Service Pack 2 Release Notes 

+ NetIQ Identity Manager 4.5 Service Pack 1 Release Notes 

+ NetIQ Identity Manager 4.5 Release Notes 


6.4 Backing Up the Current Configuration 


Before upgrading, NetIQ recommends that you back up the current configuration of your Identity 
Manager solution. There are no additional steps required to back up the User Application. All User 
Application configuration is stored in the User Application driver. You can create the backup in the 
following ways: 

¢ Section 6.4.1, “Exporting the Designer Project,” on page 105 


¢ Section 6.4.2, “Exporting the Configuration of the Drivers,” on page 106 
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6.4.1 Exporting the Designer Project 


A Designer project contains the schema and all driver configuration information. Creating a project of 
your Identity Manager solution allows you to export all of the drivers in one step instead of creating a 
separate export file for each driver. 

+ “Exporting the Current Project” on page 105 


+ “Creating a New Project from the Identity Vault” on page 105 


Exporting the Current Project 


If you already have a Designer project, verify that the information in the project is synchronized with 
what is in the Identity Vault: 

1 In Designer, open your project. 

2 In the Modeler, right-click the Identity Vault, then select Live > Compare. 

3 Evaluate the project and reconcile any differences, then click OK. 


For more information, see “Using the Compare Feature When Deploying” in the NetIQ Designer 
for Identity Manager Administration Guide. 


4 On the toolbar, select Project > Export. 
5 Click Select All to select all resources to export. 
6 Select where to save the project and in what format, then click Finish. 


Save the project in any location, other than the current workspace. When you upgrade to 
Designer, you must create a new workspace location. For more information, see “Exporting a 
Project” in the NetlQ Designer for Identity Manager Administration Guide. 


Creating a New Project from the Identity Vault 


If you do not have a Designer project of your current Identity Manager solution, you must create a 
project to back up your current solution. 

Install Designer. 

Launch Designer, then specify a location for your workspace. 

Select whether you want to check for online updates, then click OK. 

On the Welcome page, click Run Designer. 

On the toolbar, select Project > Import Project > Identity Vault. 
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Specify a name for the project, then either use the default location for your project or select a 
different location. 


Click Next. 
8 Specify the following values for connecting to the Identity Vault: 


N 


+ Host Names: which represents the IP address or DNS name of the Identity Vault server 
+ User name: which represents the DN of the user used to authenticate to the Identity Vault 
¢ Password: which represents the password of the authentication user 
9 Click Next. 
10 Leave the Identity Vault Schema and the Default Notification Collection selected. 


11 Expand the Default Notification Collection, then deselect the languages you do not need. 
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12 
13 
14 
15 


16 
17 


The Default Notification Collections are translated into many different languages. You can import 
all languages or select only the languages that you use. 


Click Browse, then browse to and select a driver set to import. 
Repeat Step 12 for each driver set in this Identity Vault, then click Finish. 
Click OK after the project is imported. 


If you only have one Identity Vault, you are finished. If you have multiple Identity Vaults, proceed 
with Step 16. 


Click Live > Import on the toolbar. 


Repeat Step 8 through Step 14 for each additional Identity Vault. 


Exporting the Configuration of the Drivers 


Creating an export of the drivers makes a backup of your current configuration. However, Designer 
currently does not create a backup of the Roles Based Entitlements driver and policies. Use 
iManager to verify that you have an export of the Roles Based Entitlement driver. 


+ 


+ 


“Using Designer to Export the Driver Configurations” on page 106 
“Using iManager to Create an Export of the Driver” on page 106 


Using Designer to Export the Driver Configurations 


1 
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Verify that your project in Designer has the most current version of your driver. For more 
information, see “Importing a Library, a Driver Set, or a Driver from the Identity Vault” in the 
NetlQ Designer for Identity Manager Administration Guide. 


In the Modeler, right-click the line of the driver that you are upgrading. 
Select Export to a Configuration File. 

Browse to a location to save the configuration file, then click Save. 
Click OK on the results page. 

Repeat Step 1 through Step 5 for each driver. 


Using iManager to Create an Export of the Driver 


1 In iManager, select Identity Manager > Identity Manager Overview. 


N 
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Browse to and select the location in the tree to search for Driver Set objects, then click the 
search icon >). 


Click the Driver Set object that holds the driver you want to upgrade. 

Click the driver you want to upgrade, then click Export. 

Click Next, then select Export all contained policies, linked to the configuration or not. 
Click Next, then click Save As. 

Select Save to Disk, then click OK. 

Click Finish. 

Repeat Step 1 through Step 8 for each driver. 
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Upgrading Identity Manager 
Components 


This section provides specific information for upgrading individual components of Identity Manager. 
This section also provides steps that you might need to take after performing an upgrade. 


+ 


+ 


+ 


+ 


Section 7.1, “Upgrade Sequence,” on page 107 

Section 7.2, “Upgrading Designer,” on page 107 

Section 7.3, “Upgrading the Identity Manager Engine,” on page 108 

Section 7.4, “Upgrading the Identity Manager Drivers,” on page 112 

Section 7.5, “Upgrading Identity Applications,” on page 113 

Section 7.6, “Upgrading Identity Reporting,” on page 122 

Section 7.7, “Upgrading Analyzer,” on page 126 

Section 7.8, “Adding New Servers to the Driver Set,” on page 126 

Section 7.9, “Restoring Custom Policies and Rules to the Driver,” on page 127 


7.1 Upgrade Sequence 


You must upgrade the Identity Manager components in the following sequence: 
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. Designer 

. Sentinel Log Management for IGA 
. Identity Vault 

. Identity Manager Engine 


Remote Loader 


. Fanout Agent 


iManager 


. Identity Applications (for Advanced Edition) 
. Identity Reporting 


. Analyzer 


NOTE: You can upgrade only one component at a time. 


7.2 Upgrading Designer 


1 Log in as an administrator to the server where Designer is installed. 


2 To create a backup copy of your projects, export your projects. 
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7.3 


7.3.1 


7.3.2 


For more information about exporting, see “Exporting a Project” in the NetIQ Designer for 
Identity Manager Administration Guide. 


3 Launch the Designer installation program. For more information, see Section 3.5, “Installing 
Designer,” on page 41. 


After upgrading to the current version of Designer, you must import all Designer projects from the 
older version. When you initiate the import process, Designer runs the Project Converter Wizard, 
which converts the older projects to the current version. In the wizard, select Copy project into the 
workspace. For more information about the Project Converter, see the NetIQ Designer for Identity 
Manager Administration Guide. 


Upgrading the Identity Manager Engine 


Ensure that you upgrade Identity Vault before upgrading the Identity Manager engine. The Identity 
Manager engine upgrade process updates the driver shim files that are stored in the file system on 
the host computer. 


Upgrading the Identity Vault 


1 Download the Identity_Manager_4.7_Linux.iso as instructed in Where to Get Identity 
Manager in the Net/Q Identity Manager Overview and Planning Guide - Work-In-Progress 
DRAFT.. 


2 Mount the downloaded. iso. 


3 From the root directory of the .iso file, navigate to the IDVault/setup directory. 


rN 


Run the following command: 

./nds-install 

Accept the license agreement and proceed with the installation. 
Specify adminDN. For example, cn=admin.ou=sa.o=system. 


Specify y when prompted for stopping eDirectory instances and upgrading NICI. 
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Specify if you want to configure Enhanced Background Authentication. 


NOTE: Run ndsconfig upgrade after nds-instal1l, if the upgrade of the DIB fails and nds-install 
prompts to do so. If eDirectory services are not starting after an upgrade, run the ndsconfig upgrade 
command. For more information, see NetIQ eDirectory Installation Guide. 


Upgrading the Identity Manager Engine 


Verify that the drivers are stopped. For more information, see <TBD - provide a link to the book where 
you will have the Stopping the Drivers section>. 


Ensure that there are no events in the cache file before you begin the upgrade process. 


When you upgrade the Identity Manager engine to version 4.7, the engine installer cleans up the 
existing MapDB driver work cache files (dx*). However, you must manually remove the existing 
MapDB state cache files after upgrading the driver. Otherwise, the driver may not start. 


The following Identity Manager drivers use MapDB 3.0.5: 
« MS Azure 
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¢ JDBC 

¢ DCS 

+ MSGW 

+ LDAP 

¢ Salesforce 


¢ ServiceNow 
Perform the following steps to upgrade the Identity manager Engine: 


1 Download the Identity_Manager_4.7_Linux.iso from the NetIQ Downloads website. 
2 Mount the downloaded .iso. 
3 Run the following command: 
./install.sh 
4 Read through the license agreement. 
5 Enter y to accept the license agreement. 


6 Specify whether you want upgrade the Identity Manager components. The available options are 
yandn. 


7 Select Identity Manager Engine. 
8 Specify the following details: 
Identity Vault Administrator: Specify the Identity Vault administrator name. 
Identity Vault Administrator Password: Specify the Identity Vault Administrator password. 


7.3.3 Upgrading the Remote Loader 


If you are running the Remote Loader, you need to upgrade the Remote Loader files. 


1 Create a backup of the Remote Loader configuration files. 


2 Verify that the drivers are stopped. For instructions, see TBD - provide a link to the book where 
you will have the Updating sspr links in the dashboard for distributed or clustered environments 
section <TBD - provide a link to the book where you will have the Stopping the drivers section>. 


3 Stop the Remote Loader service or daemon for each driver. 

+ Remote Loader: rdxml -config path_to_configfile -u 

+ Java Remote Loader: dirxml_jremote -config path_to_configfile -u 
4 Download the Identity_Manager_4.7_Linux.iso from the NetIQ Downloads website. 
5 Mount the downloaded .iso. 
6 Run the following command: 

./install.sh 

7 Read through the license agreement. 
8 Enter y to accept the license agreement. 


9 Specify whether you want upgrade the Identity Manager components. The available options are 
yandn. 


10 Select Remote Loader. 


11 After the installation finishes, verify that your configuration files contain your environment’s 
information. 
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12 (Conditional) If there is a problem with the configuration file, copy the backup file that you 
created in step 1. Otherwise, continue with the next step. 


13 Start the Remote Loader service or daemon for each driver. 
+ Remote Loader: rdxml -config path_to_config_file 


+ Java Remote Loader: dirxml_jremote -config path_to_config_file 


Upgrading iManager 


In general, the upgrade process for iManager uses the existing configuration values in the 
configiman.properties file, such as port values and authorized users. Before upgrading, NetIQ 
recommends that you back up the server.xml and context. xml configuration files if you have 
previously modified them. 


Before you upgrade iManager to 3.1, ensure your eDirectory version is upgraded to 9.1. 
The upgrade process includes the following activities: 

¢ “Upgrading iManager” on page 110 

+ “Updating Role-Based Services” on page 110 

+ “Re-installing or Migrating Plug-ins for Plug-in Studio” on page 111 

+ “Updating iManager Plug-ins after an Upgrade or Re-installation” on page 112 


Upgrading iManager 


Before upgrading iManager, ensure that the computer meets the prerequisites and system 
requirements. 


NOTE: The upgrade process uses the HTTP port and SSL port values that were configured in the 
previous version of iManager. 


1 Download the Identity_Manager_4.7_Linux.iso from the NetlQ Downloads Website. 
2 Mount the downloaded. iso. 
3 Run the following command: 
./install.sh 
4 Read through the license agreement. 
5 Enter y to accept the license agreement. 


6 Specify iManager to proceed with the upgrade. 


Updating Role-Based Services 


The first time that you use iManager to log in to an eDirectory tree that already contains a Role-Based 
Services (RBS) collection, you might not see all of the roles information. This behavior is normal 
because you must update some of the plug-ins to function with the latest version of iManager. NetIQ 
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recommends that you update your RBS modules to the latest version so that you can see and use all 
of the available functionality in iManager. The RBS Configuration table lists which RBS modules need 
to be updated. 


Be aware that you might have multiple roles with the same name. Starting with iManager 2.5, some 
plug-in developers changed task IDs or module names but retained the same display names. This 
issue causes the roles to appear to be duplicated when, in fact, one instance is from one version and 
the other is from a newer version. 


NOTE 


+ When updating or re-installing iManager, the installation program does not update existing plug- 
ins. To update plug-ins manually, launch iManager and navigate to Configure > Plug-in 
Installation > Available Novell Plug-in Modules. 


¢ Different installations of iManager might have a different number of plug-ins locally installed. As a 
result, you might see discrepancies in the module report for any given collection from the Role 
Based Services > RBS Configuration page. For the numbers to match between iManager 
installations, ensure that you install the same subset of plug-ins on each iManager instance in 
the tree. 


To check for and update outdated RBS objects: 


1 Log in to iManager. 
2 In the Configure view, select Role Based Services > RBS Configuration. 
Review the table in the 2.x Collections tabbed page for any out-of-date modules. 
3 (Optional) To update a module, complete the following steps: 
3a For the Collection that you want to update, select the number in the Out-Of-Date column. 
iManager displays the list of outdated modules. 
3b Select the module you that want to update. 
3c Click Update at the top of the table. 


Re-installing or Migrating Plug-ins for Plug-in Studio 


You can migrate or replicate Plug-in Studio plug-ins to another iManager instance, as well as to anew 
or updated version of iManager. 

1 Log in to iManager. 

2 In the iManager Configure view, select Role Based Services > Plug-in Studio. 


The Content frame displays the Installed Custom Plug-ins list, including the location of the RBS 
collection to which the plug-ins belong. 


3 Select the plug-in that you want to re-install or migrate, then click Edit. 


NOTE: You can edit only one plug-in at a time. 


4 Click Install. 
5 Repeat these steps for every plug-in that you need to re-install or migrate. 


Upgrading Identity Manager Components 111 


1.4 


7.4.1 
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Updating iManager Plug-ins after an Upgrade or Re-installation 


When you upgrade or re-install your iManager, the installation process does not update the existing 
plug-ins. Ensure that the plug-ins match the correct iManager version. 

1 Open iManager. 

2 Navigate to Configure > Plug-in Installation > Available Novell Plug-in Modules. 


3 Update the plug-ins. 


Upgrading the Identity Manager Drivers 


NetIQ delivers new driver content through packages. You manage, maintain, and create packages in 
Designer. Although iManager is package-aware, Designer does not maintain any changes to driver 
content that you make in iManager. For more information about managing packages, see “Managing 
Packages” in the NetIQ Designer for Identity Manager Administration Guide. 


You can upgrade your drivers to packages in the following ways: 


¢ Section 7.4.1, “Creating a New Driver,” on page 112 
¢ Section 7.4.2, “Replacing Existing Content with Content from Packages,” on page 112 


¢ Section 7.4.3, “Keeping the Current Content and Adding New Content with Packages,” on 
page 113 


Creating a New Driver 


The simplest and cleanest way to upgrade drivers to packages is to delete your existing driver and 
create a new driver with packages. Add all the functionality you want in the new driver. The steps are 
different for each driver. For instructions, see the individual driver guides on the Identity Manager 
Drivers documentation website. The driver now functions as before, but with content from packages 
instead of from a driver configuration file. 


Replacing Existing Content with Content from Packages 


If you need to keep the associations created by the driver, you do not need to delete and re-create the 
driver. You can keep the associations and replace the driver content with packages. 


To replace the existing content with content from packages: 


1 Create a backup of the driver and all of the customized content in the driver. 
For instructions, see Section 6.4.2, “Exporting the Configuration of the Drivers,” on page 106. 


2 In Designer, delete all objects stored inside of the driver. Delete the policies, filters, entitlements, 
and all other items stored inside of the driver. 


NOTE: Designer provides the auto-import facility for importing the latest packages. You do not 
need to manually import the driver packages into the package catalog. 


For more information, see “Importing Packages into the Package Catalog” in the NetIQ Designer 
for Identity Manager Administration Guide. 


3 Install the latest packages to the driver. 


112 NetIQ Identity Manager Setup Guide for Linux 


7.4.3 


7.9 


These steps are specific for each driver. For instructions, see each driver guide at the Identity 
Manager Drivers documentation website. 


4 Restore any custom policies and rules to the driver. For instructions, see Section 7.9, “Restoring 
Custom Policies and Rules to the Driver,” on page 127. 


Keeping the Current Content and Adding New Content with 
Packages 


You can keep the driver as it currently is and add new functionality to the driver through packages, as 
long as the functionality in packages does not overlap the current functionality of the driver. 


Before you install a package, create a backup of the driver configuration file. When you install a 
package, it can overwrite existing policies, which might cause the driver to stop working. If a policy is 
overwritten, you can import the backup driver configuration file and recreate the policy. 


Before you begin, make sure that any customized policies have different policy names than the 
default policies. When a driver configuration is overlaid with a new driver file, the existing policies are 
overwritten. If your custom policies do not have a unique name, you will lose them. 


To add new content to the driver with packages: 


1 Create a backup of the driver and all of the customized content in the driver. 


For instructions, see Section 6.4.2, “Exporting the Configuration of the Drivers,” on page 106. 


NOTE: Designer provides the auto-import facility for importing the latest packages. You do not 
need to manually import the driver packages into the package catalog. 


For more information, see “Importing Packages into the Package Catalog” in the NetIQ Designer 
for Identity Manager Administration Guide. 


2 Install the packages on the driver. 
For instructions, see each driver guide at the Identity Manager Drivers documentation website. 
3 Add the desired packages to the driver. These steps are specific for each driver. 


For more information, see the Identity Manager Drivers documentation website. 


The driver contains the new functionality added by the packages. 


Upgrading Identity Applications 


This section provides information about upgrading the Identity Applications and supporting software, 
which includes updating the following components: 

¢ Identity Manager User Application 

+ One SSO Provider (OSP) 

+ Self-Service Password Reset (SSPR) 

+ Tomcat, JDK, and ActiveMQ 

+ PostgreSQL database 


After an upgrade, the components are upgraded to the following versions: 


+ Tomcat —8.5.27 
+ ActiveMQ -5.15.2 
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+ 


+ 


+ 


Java — 1.8.0_162 
One SSO Provider — 6.2.1 
Self-Service Password Reset — 4.2.0.4 


This section provides information about the following topics: 


+ 


+ 


+ 


+ 


+ 


+ 


+ 


Section 7.5.1, “Understanding the Upgrade Program,” on page 114 

Section 7.5.2, “Prerequisites and Considerations for Upgrade,” on page 114 

Section 7.5.3, “System Requirements,” on page 115 

Section 7.5.4, “Upgrading the PostgreSQL Database,” on page 115 

Section 7.5.5, “Upgrading the Driver Packages for Identity Applications,” on page 118 
Section 7.5.6, “Upgrading Identity Applications,” on page 118 

Section 7.5.7, “Post-Upgrade Tasks,” on page 119 


Understanding the Upgrade Program 


The upgrade process reads the configuration values from the existing components. This information 
includes ism-configuration.properties, server.xml, SSPRConfiguration and other 
configuration files. Using these configuration files the upgrade process internally invokes the upgrade 
program for the components. In addition, this program also creates a backup of the current 
installation. 


Prerequisites and Considerations for Upgrade 


Before performing an upgrade, review the following considerations: 


+ 


Identity Manager is upgraded to version 4.5.6: You cannot upgrade or migrate to version 4.7 
from versions lesser than 4.5.6. For more information about how to upgrade to Identity Manager 
4.7, see Section 6.3, “Supported Upgrade Paths,” on page 101. 


System Requirements: The upgrade process requires at least 3 GB free disk space for storing 
the current configuration and the temporary files that are created during upgrade. Ensure that 
your server has sufficient space to store the back-up and additional free space available for 
upgrade. 


Ensure that you backed up the Identity Applications certificates (cacerts). 


Tomcat as an application server: This version of Identity Manager supports only Tomcat as an 
application server. 


If you are running your identity applications on an application server other than Tomcat, migrate 
the application server to Tomcat before you perform an upgrade. For more information, see 
Migrating from Websphere or JBoss to Tomcat. 


Database platform is upgraded: This program does not upgrade the database platform for the 
identity applications. Manually upgrade your current version of the database to a supported 
version. For upgrading the PostgreSQL database, see Section 7.5.4, “Upgrading the 
PostgreSQL Database,” on page 115. 


Roles and Resource Service driver package is upgraded: For more information, see 
Upgrading Installed Packages in the NetIQ Designer for Identity Manager Administration Guide. 


Self Service Password Reset: If you are upgrading from SSPR 4.0, ensure you have updated 
CATALINA_OPTS property and -Dsspr.application.Path is set to the folder where your SSPR 
configuration is stored. 


For example, 
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export CATALINA_OPTS="-Dsspr.applicationPath=/home/sspr_data 


Backup your SSPR LocalDB before upgrading. To export or download LocalDB, perform the 
following steps: 


1. Log in to SSPR portal as an administrator. 

2. In top-right corner for the page, click Configuration Manager from the drop-down menu. 
3. Click LocalDB. 

4. Click Download LocalDB. 


7.5.3 System Requirements 


The upgrade process creates a back-up of the current configuration for the installed components. 
Ensure that your server has sufficient space to store the back-up and additional free space available 
for upgrade. 


7.5.4 Upgrading the PostgreSQL Database 


The following pre-upgrade steps need to be performed for upgrading PostgreSQL database. 


1 Stop the PostgreSQL service. 


su -s /bin/sh - postgres -c "/opt/netigq/idm/apps/postgres/bin/pg_ctl stop -w - 
D /opt/netiq/idm/apps/postgres/data" 


2 Disable the existing unit file for the PostgreSQL service. 
systemctl disable postgresql-9.6.service 
3 Clean up the existing unit file for the PostgreSQL service. 
rm /usr/lib/systemd/system/postgresql-9.6.service 
systemctl daemon-reload 
systemctl reset-failed 
4 Create a backup directory and take a backup of the existing PostgreSQL directory. 
For example: 
mkdir -p /home/backup 
cp -rvf /opt/netiq/idm/apps/postgres/ /home/backup/ 
5 Navigate to the location where you have mounted the Identity_Manager_4.7_Linux.iso. 
6 Navigate to the /common/packages/postgres/ directory. 
7 Install the new version of PostgreSQL. 


rpm -ivh netiq-postgresql-9.6.6-0.noarch.rpm 


NOTE: The PostgreSQL home directory is changed to /opt/netiq/idm/postgres/ from the 
previously installed custom location. 


8 Create a data directory in the PostgreSQL installed location. 
mkdir -p <POSTGRES_HOME>/data, where <POSTGRES_HOME> is /opt/netiq/idm/postgres 
For example: 
mkdir -p /opt/netiq/idm/postgres/data 

9 Change the permissions for the newly installed PostgreSQL directory. 


chown -R postgres:postgres <postgres directory path> 


Upgrading Identity Manager Components 115 


116 


10 


12 


13 


14 


15 


16 
17 


18 


19 
20 


For example: 

chown -R postgres:postgres /opt/netigq/idm/postgres 

Create a postgres user home directory. 

For example, mkdir -p /home/users/postgres 

Change the permissions for the newly created PostgreSQL user home directory. 
chown -R postgres:postgres <postgres home directory path> 
For example: 

chown -R postgres:postgres /home/users/postgres 

Export the PostgreSQL home directory 

export PGHOME=<postgres home directory path> 

For example: 

export PG_HOME=/opt/netiq/idm/postgres 

Export the PostgreSQL password: 

export PGPASSWORD=<enter the database password> 

Initialize the database. 


su -s /bin/sh - postgres -c "LANG=en_US.UTF-8 <POSTGRES_HOME>/bin/initdb -D 
<POSTGRES_HOME>/data" 


For example: 


su -s /bin/sh - postgres -c "LANG=en_US.UTF-8 /opt/netiq/idm/postgres/bin/ 
initdb -D /opt/netigq/idm/postgres/data" 


Change the postgres user’s home directory path to /opt/netig/idm/postgres/ in the /etc/ 
passwd file. 


15a Navigate to the /etc/ directory. 
15b Edit the passwd file. 
vi /etc/passwd 
15c Change the home directory of the postgres user to /opt/netig/idm/postgres/. 
Navigate to the /opt/netig/idm/postgres/ directory. 
Log in as postgres user. 
For example: 
su postgres 
Migrate the existing data. 
For example: 


/opt/netiq/idm/postgres/bin/pg_upgrade --old-datadir /opt/netiq/idm/apps/ 
postgres/data/ --new-datadir /opt/netiq/idm/postgres/data/ --old-bindir /opt/ 
netiq/idm/apps/postgres/bin --new-bindir /opt/netig/idm/postgres/bin/ 


Log out as postgres user. 
Update the pg_hba.conf file to trust the server network: 
20a Navigate to the /opt/netig/idm/postgres/data/ directory. 
20b Edit the pg_hba.conf file: 
vi pg_hba. conf 
20c Add the following line in the pg_hba.conf file: 
host all all 0.0.0.0/0 trust 
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To ensure that your PostgreSQL instance listens on other network instances, other than 
localhost, update the configuration file: 


21a Navigate to the /opt/netig/idm/postgres/data/ directory. 
21b Edit the postgresql.conf file: 

vi postgresql.conf 
21c Add the following line in the postgresql. conf file: 


listen_addresses = '*' 


NOTE: To listen on restricted network interfaces, specify a comma separated list of IP 
addresses. 

Create pg_log directory under <postgres home directory path>/data. 

For example: 

mkdir -p /opt/netiq/idm/postgres/data/pg_log 

Change the permissions for the pg_log directory. 

chown -R postgres:postgres <postgres directory path>/data/pg_log 

For example: 

chown -R postgres:postgres /opt/netigq/idm/postgres/data/pg_log 

Start the PostgreSQL service. 

systemctl start netiq-postgresql 

This will start the new PostgreSQL service. 

(Optional) Launch the new pgAdmin from GUI: 

25a Copy scripts directory from old postgres home to new postgres home. 
For example: 
cp -rvf /opt/netiq/idm/apps/postgres/scripts /opt/netigq/idm/postgres 

25b Navigate to the /opt/netiq/idm/postgres/scripts directory. 

25c Edit launchpgadmin.sh and replace the old PostgreSQL path with the new path. 
Replace /opt/netiq/idm/apps/postgres/ with /opt/netigq/idm/postgres. 


25d Navigate to the /usr/share/application directory and edit the .desktop application to 
provide the new path for launchpgadmin. sh. 


SLES: Edit pg-pgadmin-9_6.desktop application and replace EXEC value with the new 
launchpgadmin. sh path 


For example: 


Change the value of "Exec=/opt/netiq/idm/apps/postgres/scripts/ 
launchpgadmin.sh" to :"Exec=/opt/netiq/idm/postgres/scripts/ 
launchpgadmin. sh" 


RHEL: Navigate to the /usr/share/application and create pg-pgadmin-9 6.desktop 
file with the following details: 


For example: 
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[Desktop Entry] 
Version=1.0 
Encoding=UTF-8 
Name=pgAdmin 4 
Exec=/opt/netiq/idm/postgres/scripts/launchpgadmin.sh 
Icon=pg-pgadmin-9_6.png 
Terminal=false 
Type=Application 
25e Remove old postgres home from the system. 
rm -rf /opt/netiq/idm/apps/postgres/ 


25f For changes to take effect, restart your system. 


Upgrading the Driver Packages for Identity Applications 


This section explains how to update the packages for the User Application Driver and Roles and 
Resource Service drivers to the latest version. You must perform this task before upgrading Identity 
Applications. 

1 In Designer, open your current project. 

2 Right-click Package Catalog > Import Package. 

3 Select the appropriate package. For example, User Application Driver Base package. 

4 Click OK. 

5 In the Developer View, right-click the driver and then click Properties. 

6 Navigate to the Packages tab in the Properties page. 

7 Click the Add package (+) symbol in the top right corner. 

8 Select the package, and then click OK. 
9 Repeat the same procedure to upgrade the package for the Roles and Resource Service driver. 


NOTE: Ensure that the User Application driver and Roles and Resource Service driver are 
connected to the upgraded Identity Manager. 


Upgrading Identity Applications 


NOTE: If your Identity Applications and SSPR are installed on different servers, you need to upgrade 
SSPR manually. For more information, see “Upgrading SSPR” on page 119. 


+ “Upgrading Identity Applications” on page 118 
+ “Upgrading SSPR” on page 119 


Upgrading Identity Applications 
The following procedure describes how to upgrade Identity Applications. 


1 Download the Identity_Manager_4.7_Linux.1iso from the NetIQ Downloads website. 
2 Mount the downloaded .iso. 
3 Run the following command: 

./install.sh 
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Read through the license agreement. 
Enter y to accept the license agreement. 


6 Specify whether you want upgrade the Identity Manager components. The available options are 


7 
8 


yand n. 

Select Identity Applications to proceed with the upgrade. 

Specify the following details: 

SSPR Installation Folder: Specify the SSPR installation folder. 

User Application Folder: Specify the User Application folder. 

Identity Applications One SSO Service Password: Specify the One SSO password. 


Identity Applications Database JDBC jar file: Specify the database JAR file. The default 
location of the existing database jar file is /opt/netiq/idm/apps/postgres/postgresql- 
9.4.1212. jar. 


Create Schema for Identity Applications: Specifies when you want to create database 
schema. The available options are Now, Startup, and File. 


Upgrading SSPR 


NOTE: If SSPR is installed on a different server than Identity Applications and OSP, you must 
upgrade SSPR separately. 
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Download the Identity_Manager_4.7_Linux.iso from the NetIQ Downloads website. 
Mount the downloaded .iso. 

From the root directory of the .iso file, navigate to the SSPR directory. 

Run the following command: 

./install.sh 


Read through the license agreement. 


6 Enter y to accept the license agreement. 


Post-Upgrade Tasks 


¢ Verify that the RBPM to eDirectory SAML configuration parameter in the configupdate utility is 


+ 


+ 


set to Auto. 
1. Launch the configupdate utility. 


2. Navigate to SSO Clients > RBPM and set RBPM to eDirectory SAML configuration to Auto. 


3. Save the changes. 
4. Start Tomcat. 
Change the permission and ownership of the OSP directory: 
chmod +x novlua:novlua /opt/netiq/idm/apps/osp 
Manually delete the previous version of Tomcat and ActiveMQ services. 
/etc/init.d/idmapps_tomcat_init 


/etc/init.d/idmapps_activemq_init 
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You must also restore the customized settings for Tomcat, SSPR, OSP, or Identity Applications, 
manually. 

+ “Java” on page 120 

+ “Tomcat” on page 120 

+ “Identity Applications” on page 121 

+ “One SSO Provider’ on page 122 


+ “Kerberos” on page 122 


Java 


Verify that the upgraded JRE location (jre/lib/security/cacerts) has all the certificates from the 
older JRE location. If a certificate is missing, manually import that certificates into cacerts of the 
upgraded JRE. 


1 Import java cacerts using keytool command: 


keytool -import -trustcacerts -file Cerificate_Path -alias ALIAS_NAME -keystore 
cacerts 


NOTE: After upgrade, JRE is stored in the identity applications install location. For example: / 
opt/netiq/idm/apps/jre. 


2 Verify the JRE home location. 
tomcat/bin/setenv.sh 


3 Launch the Configuration Update utility and verify the path of your cacerts. 


Tomcat 


1 (Conditional) To restore the customized files from the backup taken earlier by the upgrade 
process, perform the following tasks: 


+ Restore the customized https certificates. To restore these certificates, copy the Java 
Secure Socket Extension (JSSE) contents from the backed up server.xml to the new 
server.xml file in the /tomcat/conf directory. 


+ Do not copy the configuration files from the backed-up Tomcat directory to the new Tomcat 
directory. Start with the default configuration of the new version and make changes as 
needed. For more information, see this Apache Website. 


Verify that new server.xml file has the following entries: 

<Connector port="8543" protocol="HTTP/1.1" 
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
clientAuth="false" sslProtocol="TLS" 


keystoreFile="path_to_keystore_file" 
keystorePass="keystore_password" /> 


<Cluster className="0rg.apache.catalina.ha.tcp.SimpleTcpCluster"/> 
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<Connector port="8543" 
protocol="org.apache.coyote.httpi1.Http11NioProtocol" 
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
clientAuth="false" sslProtocol="TLS" 
keystoreFile="path_to_keystore_file" 
keystorePass="keystore_password" /> 
<!-- 
<Cluster className="0rg.apache.catalina.ha.tcp.SimpleTcpCluster"/> 
==> 


NOTE: On a cluster environment, manually uncomment the Cluster tag in server.xml 
and copy osp. jks on to all nodes from the first node located at /opt/netiq/idm/apps/ 
osp_backup_<date>. 


+ If you have customized keystore files, include the correct path in the new server .xm1 file. 


+ Import identity applications certificates into the Identity Vault at /opt /novell/eDirectory/ 
11b64/nds-modules/jre/lib/security/cacerts. 


For example, you can use the following keytool command to import certificates into Identity 
Vault: 


keytool -importkeystore -alias <keyalias> -srckeystore <backup cacert> - 
srcstorepass changeit -destkeystore /opt/novell/eDirectory/1ib64/nds- 
modules/jre/lib/security/cacerts 

-deststorepass changeit 


2 (Conditional) Navigate to the User Application and restore the customized settings manually by 
reading the backed-up configuration. 


Identity Applications 


Restore the customized identity applications configurations from the backup taken during the upgrade 
process. 


If you have renamed the custom context folder name to IDMProv before running the upgrade 
program, you should change the context folder name to original context name using configupdate 
utility. For example, the original custom context name is IDMDev and it is renamed to IDMProv. 


Complete the following steps to change the context name back to the original context name: 


1 Navigate to the User Application directory located in /opt/netiq/idm/apps/UserApplication. 


2 (Optional) To launch the configupdate utility in GUI mode, ensure that the use_console option is 
set to false in configupdate.sh.properties file. 


This step is required because the upgrade utility changes the value of this option to true. 
Alternatively, launch the configupdate utility and pass an additional command line argument on 
Linux. 


./configupdate.sh use_console=false 


3 Launch the configupdate utility. 
configupdate.sh 
4 In User Application tab, click Show Advanced Options and perform the following steps: 
4a Check Change RBPM Context Name check box. 
4b Change the RBPM context name to the original context name. 
4c Browse and select the appropriate Roles Driver DN and click OK. 
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4d Change the permission and ownership of the WAR file using the following command. 


chmod 755 <Original_Context_Name>.war; chown -R novlua:novlua 
<Original_Context_Name>.war 


For example, if the original custom context name is IDMDev: 
chmod 755 IDMDev.war; chown -R novlua:novlua IDMDev.war 


5 (Conditional) If you have completed all the post-upgrade tasks, then start the Tomcat service for 
Identity Applications. 


One SSO Provider 


If OSP and User Application are deployed on different servers, then update the SSO client parameter 
using Configuration Update Utility. For more information, see “IDM Dashboard” on page 77 in the 
Section 5.2.5, “SSO Clients Parameters,” on page 77. 


By default, the LogHost entry located at /etc/logevent.conf file is set to localhost. 


To modify the LogHost entry, manually restore the customized OSP configurations from the backup 
taken during the upgrade process. 


Kerberos 


The upgrade utility creates a new Tomcat folder on your computer. If any of the Kerberos files such as 
keytab and Kerberos_login.config resided in the old Tomcat folder, copy these files to the new 
Tomcat folder from backed-up folder. 


Upgrading Identity Reporting 


Identity Reporting includes two drivers. Perform the upgrade in the following order: 


NOTE: Ensure that your database is upgraded to a supported version. 


1. Upgrade your database to a supported version. For information on upgrading PostgreSQL 
database, see Section 7.5.4, “Upgrading the PostgreSQL Database,” on page 115. 


2. Upgrade the driver packages. For more information, see Section 7.6.2, “Upgrading the Driver 
Packages for Identity Reporting,” on page 123. 


3. Upgrade/Migrate to Sentinel Log Management for IGA. 


If you are upgrading from Identity Reporting 4.6.x, upgrade Sentinel Log Management for IGA to 
4.7 version. For more information, see Section 7.6.3, “Upgrading Sentinel Log Management for 
IGA,” on page 123. 


If you are migrating from Identity Reporting 4.5.x, migrate from EAS to Sentinel Log 
Management for IGA. For more information, see Section 10.7.1, “Migrating from Event Auditing 
Service to Sentinel Log Management for IGA,” on page 142. 


4. Upgrade Identity Reporting. For more information, see Section 7.6.5, “Upgrading Identity 
Reporting,” on page 124. 
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7.6.1 Prerequisites and Considerations for Upgrade 


Before you perform an upgrade, the following considerations apply: 


+ During upgrade, ensure that you specify the correct location for the postgresql-9.4.1212. jar 
file. The default location is /opt/netig/idm/postgres/. The database connection will fail in the 
following scenarios: 


¢ if you provide the incorrect path 
¢ if you provide the incorrect jar file 
¢ if the firewall is enabled 
¢ if the database does not accept connections from remote machines 
¢ If your database is configured over SSL, remove ssl=true from the server . xml file from PATH 
located at: 
/opt/netiq/idm/apps/tomcat/conf/ 
For example, change 
jdbc:postgresql://<postgres db>:5432/idmuserappdb?ssl=true 


to 


jdbc:postgresql://<postgres db>:5432/idmuserappdb 


7.6.2 Upgrading the Driver Packages for Identity Reporting 


This section explains how to update the packages for the Managed System Gateway and Data 
Collection Service drivers to the latest version. You must perform this task before upgrading Identity 
Reporting. 

In Designer, open your current project. 

Right-click Package Catalog > Import Package. 

Select the appropriate package. For example, Managed System Gateway Base package. 
Click OK. 

In the Developer View, right-click the driver and then click Properties. 

Navigate to the Packages tab in the Properties page. 

Click the Add package (+) symbol in the top right corner. 

Select the package, and then click OK. 
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Repeat the same procedure to upgrade the package for the Data Collection Service Driver. 


NOTE: Ensure that the Managed System Gateway Driver and Data Collection Service Driver are 
connected to the upgraded Identity Manager. 


7.6.3 Upgrading Sentinel Log Management for IGA 


1 Download the SentinelLogManagementForIGA8.1.1.0.tar.gz from the NetIQ downloads 
Website. 
2 Navigate to a directory where you want to extract the file. 


3 Run the following command to extract the file. 
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tar -zxvf SentinelLogManagementForIGA8.1.1.0.tar.gz 
4 Navigate to the SentinelLogManagement forIGA directory. 
5 To install SLM for IGA, run the following command: 
./install.sh 
6 Specify the language that you want to use for installation, then press Enter. 
7 Enter y to accept the license agreement and proceed with the upgrade. 


NOTE: After SLM for IGA is upgraded, you need to manually import the latest collectors. 
1. Navigate to the directory where you have extracted the 
SentinelLogManagementForIGA8.1.1.0.tar.gz file. 
2. Navigate to the /content/ directory. 


3. Import and configure the respective collectors. For more information, see Installing and 
Configuring the Identity Manager Collector in the NetIQ Identity Manager - Configuring Auditing 
in Identity Manager. 


7.6.4 Upgrading the Operating System 


When you upgrade the operating system from SLES 11 to SLES 12, the upgrade procedure for the 
operating system deletes some SLM for IGA RPMs. 


The following commands ensure SLM for IGA works correctly after you upgrade the operating 
system. 


NOTE: You must upgrade SLM for IGA before you upgrade the operating system. 


Use the following steps to upgrade your operating system: 


1 Navigate to the directory where the Sentinel install file was extracted. 
2 Stop the Sentinel services: 
rcsentinel stop 
3 Run the following command: 
./install.sh --preosupgrade 
4 Upgrade your operating system. 
5 Run the following command: 
./install.sh --postosupgrade 
6 Restart the Sentinel service: 


rcesentinel restart 


7.6.5 Upgrading Identity Reporting 


1 Download the Identity_Manager_4.7_Linux.iso from the NetlQ Downloads website. 
2 Mount the downloaded .iso. 
3 Run the following command: 
./install.sh 
4 Read through the license agreement. 
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7.6.6 


7.6.7 


5 


Enter y to accept the license agreement. 


6 Specify whether you want upgrade the Identity Manager components. The available options are 


7 
8 


yand n. 

Select Identity Reporting to proceed with the upgrade. 

Specify the following details: 

OSP Installed: Specify if OSP is installed. 

OSP Install Folder: Specify the backup installation folder for OSP. 

Reporting Installation Folder for backup: Specify the Reporting Installation folder. 


Create schema for Identity Reporting: Specify whether you want to create the schema for 
your database now or later. The available options are Now, 


Identity Reporting Database JDBC jar file: Specify the database JAR file for Identity 
Reporting. The default location of the existing database jar file is /opt/netiq/idm/apps/ 
postgres/postgresql-9.4.1212.jar. 


Identity Reporting Database user: Specify the name of the Reporting database user. 


Identity Reporting Database account password: Specify the Reporting database password. 


Post-upgrade Steps for Reporting 


NOTE: Identity Manager 4.6.1 reports do not work after you perform an upgrade. You can only use 
Identity Manager 4.7 reports. 


During upgrade, if you have selected Database Schema creation as Startup or File, ensure you do 
the following: 


1. 
2. 
3. 


Log in to Identity Reporting. 
Delete the existing datasource and report definitions from the Identity Reporting repository. 


Add the new Identity Manager Data Collection Services datasource. 


Verifying the Upgrade for Identity Reporting 
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Launch Identity Reporting. 
Verify that old and new reports are being displayed in the tool. 
Look at the Calendar to see whether your scheduled reports appear. 


Ensure that the Settings page displays your previous settings for managed and unmanaged 
applications. 


5 Verify that all other settings look correct. 


Verify whether the application lists your completed reports. 
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7.8 


7.8.1 


7.8.2 


Upgrading Analyzer 


To upgrade Analyzer, NetIQ provides patch files in .zip format. Before upgrading Analyzer, ensure 
that the computer meets the prerequisites and system requirements. For more information, see the 
Release Notes accompanying the update. 


1 Download the Identity_Manager_4.7_Linux_Analyzer .tar .gz from the NetIQ download 
website. 


2 Extractthe .zip file to the directory that contains the Analyzer installation files, such as the plug- 
ins, uninstallation script, and other Analyzer files. 


3 Restart Analyzer. 

4 To verify that you successfully applied the new patch, complete the following steps: 
4a Launch Analyzer. 
4b Click Help > About Analyzer. 
4c Check whether the program displays the new version. 


Adding New Servers to the Driver Set 


When you upgrade or migrate Identity Manager to new servers, you must update the driver set 
information. This section guides you through the process. You can use Designer or iManager to 
update the driver set. 


Adding the New Server to the Driver Set 


If you are using iManager, you must add the new server to the driver set. Designer contains a 
Migration Wizard for the server that does this step for you. If you are using iManager, complete the 
following procedure: 


In iManager, click @ to display the Identity Manager Administration page. 
Click Identity Manager Overview. 
Browse to and select the container that holds the driver set. 


1 
2 
3 
4 Click the driver set name to access the Driver Set Overview page. 
5 Click Servers > Add Server. 

6 


Browse to and select the new Identity Manager server, then click OK. 


Removing the Old Server from the Driver Set 


After the new server is running all of the drivers, you can remove the old server from the driver set. 


+ “Using Designer to Remove the Old Server from the Driver Set” on page 126 
+ “Using iManager to Remove the Old Server from the Driver Set” on page 127 


+ “Decommissioning the Old Server” on page 127 


Using Designer to Remove the Old Server from the Driver Set 


1 In Designer, open your project. 
2 In the Modeler, right-click the driver set, then select Properties. 
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7.9 


7.9.1 


3 Select Server List. 


4 Select the old Identity Manager server in the Selected Servers list, then click the < to remove the 
server from the Selected Servers list. 


5 Click OK to save the changes. 
6 Deploy the change to the Identity Vault. 


For more information, see “Deploying a Driver Set to an Identity Vault” in the NetIQ Designer for 
Identity Manager Administration Guide. 


Using iManager to Remove the Old Server from the Driver Set 


In iManager, click @ to display the Identity Manager Administration page. 
Click Identity Manager Overview. 
Browse to and select the container that holds the driver set. 


1 
2 
3 
4 Click the driver set name to access the Driver Set Overview page. 
5 Click Servers > Remove Server. 

6 


Select the old Identity Manager server, then click OK. 


Decommissioning the Old Server 


At this point, the old server is not hosting any drivers. If you no longer need this server, you must 
complete additional steps to decommission it: 


1 Remove the eDirectory replicas from this server. 
For more information, see “Deleting Replicas” in the NetIQ eDirectory Administration Guide. 


2 Remove eDirectory from this server. 
For more information, see TID 10056593, “Removing a Server From an NDS Tree Permanently”. 


Restoring Custom Policies and Rules to the Driver 


After installing or upgrading to new packages for your drivers, you must restore any custom policies 
or rules to the driver after you overlay the new driver configuration file. If these policies have different 
names, they are still stored in the driver, but the links are broken and need to be reestablished. 


¢ Section 7.9.1, “Using Designer to Restore Custom Policies and Rules to the Driver,” on page 127 


¢ Section 7.9.2, “Using iManager to Restore Custom Policies and Rules to the Driver,” on 
page 128 


Using Designer to Restore Custom Policies and Rules to 
the Driver 


You can add policies into the policy set. You should perform these steps in a test environment before 
you move the upgraded driver to your production environment. 


1 Inthe Outline view, select the upgraded driver, then click the Show Policy Flow icon W. 


2 Right-click the policy set where you need to restore the customized policy to the driver, then 
select Add Policy > Copy Existing. 
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Browse to and select the customized policy, then click OK. 

Specify the name of the customized policy, then click OK. 

Click Yes in the file conflict message to save your project. 

After the Policy Builder opens the policy, verify that the information is correct in the copied policy. 
Repeat Step 2 through Step 6 for each customized policy you need to restore to the driver. 

Start the driver and test the driver. 


For more information on starting the driver, see <TBD - provide a link to the book where you will 
have the Starting the Drivers section>. For more information on testing the driver, see “Testing 
Policies with the Policy Simulator” in NetIQ Identity Manager - Using Designer to Create Policies. 


After you verify that the policies work, move the driver to the production environment. 


Using iManager to Restore Custom Policies and Rules to 
the Driver 


Perform these steps in a test environment before you move the upgraded driver to your production 
environment. 


1 In iManager, select Identity Manager > Identity Manager Overview. 


N 
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10 


Browse to and select the location in the tree to search for Driver Set objects, then click the 
search icon [>]. 


Click the Driver Set object that contains the upgraded driver. 

Click the driver icon, then select the policy set where you need to restore the customized policy. 
Click Insert. 

Select Use an existing policy, then browse to and select the custom policy. 

Click OK, then click Close. 

Repeat Step 3 through Step 7 for each custom policy you need to restore to the driver. 

Start the driver and test the driver. 


For information on starting the driver, see <TBD - provide a link to the book where you will have 
the Starting the Drivers section>. There is no policy simulator in iManager. To test the policies, 
cause events to happen that make the policies execute. For example, create a user, modify a 
user, or delete a user. 


After you verify that the policies work, move the driver to the production environment. 
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Switching from Advanced Edition to 
Standard Edition 


You should switch to Standard Edition only if you do not want any Advanced Edition functionality in 
your environment and want to scale down your Identity Manager deployment. 


1 
2 


3 
4 
5 


(Conditional) If you have already applied the Advanced Edition activation, remove the activation. 
(Conditional) To switch to the Standard Edition evaluation mode, perform the following actions: 
2a Navigate to the Identity Vault dib directory. 

/var/opt/novell/eDirectory/data/dib 
2b Create a new file, name it .idme, and add 2 (numeric) to the file. 
2c Restart eDirectory. 
2d Continue with Step 4. 
(Conditional) If you have already purchased a Standard Edition activation, apply the activation. 
Stop Tomcat. 


Remove the following WAR files and Webapps folder from the /opt/netig/idm/apps/tomcat/ 
webapps directory: 


+ IDMProv* 
+ IDMRPT* 
+ dash* 
+ idmdash* 
+ landing* 
+ rra* 
+ rptdoc* 
Move the following existing folders to a backup directory: 
+*+ IDMReporting 
+ UserApplication 


Copy the ism-configuration. properties file from <install folder>/tomcat/conf 
directory to a backup directory. 


8 Install Identity Reporting from the Identity Manager 4.6 media. 


9 Start configupdate.sh from the <reporting install folder>/bin directory and specify 


values for the following parameters: 
Reporting tab: Specify the settings in the following sections: 
¢ ID Vault 
¢ Identity Vault User Identity 
+ Report Administrators 
¢ Report Admin Role Container DN. For example, ou=sa, o=data 


¢ Report Administrators. For example, cn=uaadmin, ou=sa, o=data 
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Authentication tab: Specify the settings in the following sections: 
+ Authentication Server 


+ OAuth server host identifier. For example, IP address or DNS name of the 
authentication server such as 192.168.0.1 


+ OAuth server TCP port 
+ OAuth server is using TLS/SSL 
+ Authentication Configuration 
+ OAuth keystore file. For example, /opt/netig/idm/apps/osp/osp. jks 
+ Key alias of key for use by OAuth 
+ Key password of key for use by OAuth 
¢ Session Timeout (minutes). For example, 60 minutes. 
SSO Clients tab: Specify the settings in the following sections: 
+ Reporting 
¢ URL link to landing page. For example, http://192.168.0.1:8180/IDMRPT 
+ Self Service Password Reset 
¢ OAuth client ID. For example, sspr 
+ OAuth client secret For example, <sspr client secret> 


¢ OSP OAuth redirect url. For example, http://192.168.0.1:8180/sspr/public/ 
oauth 


For more information about Configuration Utility, see “Running the Identity Applications 
Configuration Utility” on page 62. 


10 Save the changes and exit the Configuration Utility. 
11 Start Tomcat. 
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Migrating Identity Manager Datatoa 
New Installation 


This section provides information on migrating existing data in Identity Manager components to a new 
installation. Most migration tasks apply to the Identity Applications. To upgrade Identity Manager 
components, see Part Ill, “Upgrading Identity Manager,” on page 97. For more information about the 
difference between upgrade and migration, see Section 6.2, “Understanding Upgrade Process,” on 
page 101. 
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Q Preparing to Migrate Identity Manager 


This section provides information to help you prepare for migrating your Identity Manager solution to 
the new installation. 


9.1 Checklist for Performing a Migration 


To perform a migration, NetIQ recommends that you complete the steps in the following checklist. 


Checklist Items 


LJ 1. Determine whether you should perform an upgrade or a migration. For more information, see 
Section 6.2, “Understanding Upgrade Process,” on page 101. 


. Ensure that you have the latest installation kit to migrate your Identity Manager data. 


E 


. Ensure that your computers meet the hardware and software prerequisites for a newer 
version of Identity Manager. For more information, see Section 1.4, “Minimum Space 
Requirements,” on page 18 and the Release Notes for the version to which you want to 
upgrade. 


D 


4. Upgrade eDirectory to the latest supported version for the Identity Vault. For more information, 
see Section 7.3.1, “Upgrading the Identity Vault,” on page 108. 


5. Add the eDirectory replicas that are on the current Identity Manager server to the new server. 
For more information, see Section 10.4, “Migrating the Identity Manager Engine to a New 
Server,” on page 138. 


6. Install Identity Manager on the new server. For more information, see “Planning to Install 
Identity Manager” on page 13. 


7. (Conditional) If any of the drivers in the driver set are Remote Loader drivers, upgrade the 
Remote Loader server for each driver. For more information, see Section 7.3.3, “Upgrading 
the Remote Loader,” on page 109. 


8. (Conditional) If you are running the User Application on your old server, update the 
component and its drivers. For more information, see Section 10.1, “Checklist for Migrating 
Identity Manager,” on page 135. 


9. Change the server-specific information for each driver. For more information, see 
Section 10.3.1, “Copying the Server-specific Information in Designer,” on page 137. 


10. (Conditional) If you have RBPM, update the server-specific information from the old server to 
the new server for the User Application. For more information, see Section 10.3, “Copying 
Server-specific Information for the Driver Set,” on page 137. 


11. Update your drivers to the package format. For more information, see Section 7.4, “Upgrading 
the Identity Manager Drivers,” on page 112. 


12. (Conditional) If you have custom policies and rules, restore your customize settings. For more 
information, see Section 7.9, “Restoring Custom Policies and Rules to the Driver,” on 
page 127. 
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13. Install Identity Reporting and associated drivers. For more information, see Section 10.7, 
“Migrating Identity Reporting,” on page 142. 
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Checklist Items 


14. Remove the old server from the driver set. For more information, see Section 7.8.2, 
“Removing the Old Server from the Driver Set,” on page 126. 


D 


15. Activate your upgraded Identity Manager solution. For more information, see Activating 
Identity Manager in NetIQ Identity Manager Overview and Planning Guide - Work-In-Progress 
DRAFT. 


D 
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10.1 


Migrating Identity Manager to a New 
Server 


This 
ona 


section provides information for migrating from the User Application to the identity applications 
new server. You might also need to perform a migration when you cannot upgrade an existing 


installation. This section includes the following activities: 


+ 


+ 


+ 


+ 


Section 10.1, “Checklist for Migrating Identity Manager,” on page 135 

Section 10.2, “Preparing Your Designer Project for Migration,” on page 136 

Section 10.3, “Copying Server-specific Information for the Driver Set,” on page 137 
Section 10.4, “Migrating the Identity Manager Engine to a New Server,” on page 138 
Section 10.5, “Migrating the User Application Driver,” on page 139 

Section 10.6, “Completing the Migration of the Identity Applications,” on page 140 
Section 10.7, “Migrating Identity Reporting,” on page 142 


Checklist for Migrating Identity Manager 


NetIQ recommends that you complete the steps in the following checklist. 


E 
E 


Checklist Items 


1. Back up the directories and databases of your Identity Manager solution. 


2. Ensure that you have installed the latest versions of the Identity Manager components, except 
for the identity applications. For more information, see the latest release notes for the 
components. 


NOTE: To continue using your current User Application database, specify Existing Database 
in the installation program. For more information, see Chapter 3, “Installing Identity Manager,” 
on page 37. 


3. Run a health check of the Identity Vault to ensure that the schema extends properly. Use TID 
3564075 to complete the health check. 


4. Import your existing User Application drivers into Designer. 


5. Archive the Designer project. It represents the pre-migration state of the drivers. For more 
information, see Section 10.2, “Preparing Your Designer Project for Migration,” on page 136. 


6. (Conditional) To migrate the Identity Manager engine to a new server, copy the eDirectory 
replicas to the new server. For more information, see Section 10.4, “Migrating the Identity 
Manager Engine to a New Server,” on page 138. 


7. Create a new Designer project in the latest version of Designer, then import the User 
Application driver to prepare for migration. 
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8. Migrate the User Application driver. For more information, see Section 10.5, “Migrating the 
User Application Driver,” on page 139. 
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Checklist Items 


9. Upgrade the Identity Applications. For more information, see Section 7.5, “Upgrading Identity 
Applications,” on page 113. 


10. (Conditional) To upgrade an Oracle database with an SQL file created by the installation 
process, prepare the Oracle environment. For more information, see Section 10.6.1, 
“Preparing an Oracle Database for the SQL File,” on page 140. 


11. Ensure that your browsers do not contain content from the previous versions of Identity 
Manager. For more information, see Section 10.6.2, “Flushing the Browser Cache,” on 
page 141. 


12. (Conditional) Reinstate your custom settings for the SharedPagePortlet. For more 
information, see Section 10.6.3, “Updating the Maximum Timeout Setting for the 
SharedPagePortlet,” on page 141. 


13. Ensure that the search option for groups does not display information until the user provides 
filter parameters. For more information, see Section 10.6.4, “Disabling the Automatic Query 
Setting for Groups,” on page 141. 
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10.2 Preparing Your Designer Project for Migration 


Before you migrate the driver, you need to perform some setup steps to prepare the Designer project 
for migration. 


NOTE: If you do not have an existing Designer project to migrate, create a new project by using File 
> Import > Project (From Identity Vault). 


1 Launch Designer. 


2 (Conditional) If you have an existing Designer project that contains the User Application that you 
want to migrate, back up the project: 


2a Right-click the name of the project in Project view, then select Copy Project. 
2b Specify a name for the project, then click OK. 
3 To update the schema for your existing project, complete the following steps: 
3a In the Modeler view, select the Identity Vault. 
3b Select Live > Schema > Import. 


4 (Optional) To verify that the version number for Identity Manager is correct in your project, 
complete the following steps: 


4a In the Modeler view, select the Identity Vault and then click Properties. 
4b In the left navigation menu, select Server List. 
4c Select a server and then click Edit. 


The Identity Manager version field should show the latest version. 
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10.3 


10.3.1 


Copying Server-specific Information for the Driver 
Set 


You must copy all server-specific information that is stored in each driver and driver set to the new 
server's information. This also includes GCVs and other data on the driver set that will not be there on 
the new server and need to be copied. The server-specific information is contained in: 

¢ Global configuration values 

¢ Engine control values 

+ Named passwords 

¢ Driver authentication information 

¢ Driver startup options 

+ Driver parameters 

¢ Driver set data 
You can do this in Designer or iManager. If you use Designer, it is an automated process. If you use 
iManager, it is a manual process. If you are migrating from an Identity Manager server earlier than 3.5 
version to an Identity Manager server greater than or equal to 3.5, you should use iManager. For all 
other supported migration paths, you can use Designer. 

¢ Section 10.3.1, “Copying the Server-specific Information in Designer,” on page 137 

¢ Section 10.3.2, “Changing the Server-specific Information in iManager,” on page 138 

¢ Section 10.3.3, “Changing the Server-specific Information for the User Application,” on page 138 


Copying the Server-specific Information in Designer 


This procedure affects all drivers stored in the driver set. 


In Designer, open your project. 
In the Outline tab, right-click the server, then select Migrate. 


Read the overview to see what items are migrated to the new server, then click Next. 
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Select the target server from the list available servers, then click Next. 


The only servers listed are servers that are not currently associated with a driver set and are 
equal to or newer than the source server’s Identity Manager version. 


5 Select one of the following options: 


+ Make the target server active: Copies the settings from the source server to the target 
server and disables the drivers on the source server. NetIQ recommends using this option. 


+ Keep the source server active: Does not copy the settings and disables all drivers on the 
target server. 


+ Makes both target and source servers active: Copies settings from the source server to 
the target server without disabling the drivers on the source or target servers. This option is 
not recommended. If both drivers are started, the same information is written to two different 
queues and this can cause corruption. 


6 Click Migrate. 
7 Deploy the changed drivers to the Identity Vault. 


For more information, see “Deploying a Driver to an Identity Vault” in the NetIQ Designer for 
Identity Manager Administration Guide. 
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10.3.2 


10.3.3 


10.4 


8 Start the drivers. 


For more information, see <TBD - provide a link to the book where you will have the Starting the 
Drivers section>. 


Changing the Server-specific Information in iManager 


In iManager, click @ to display the Identity Manager Administration page. 
Click Identity Manager Overview. 

Browse to and select the container that holds the driver set. 

Click the driver set name to access the Driver Set Overview page. 

Click the upper right corner of the driver, then click Stop driver. 


Click the upper right corner of the driver, then click Edit properties. 
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Copy or migrate all server-specific driver parameters, global configuration values, engine control 
values, named passwords, driver authentication data, and driver startup options that contain the 
old server’s information to the new server's information. Global configuration values and other 
parameters of the driver set, such as max heap size, Java settings, and so on, must have 
identical values to those of the old server. 


8 Click OK to save all changes. 
9 Click the upper right corner of the driver to start the driver. 
10 Repeat Step 5 through Step 9 for each driver in the driver set. 


Changing the Server-specific Information for the User 
Application 
You must reconfigure the User Application to recognize the new server. Run configupdate. sh. 
1 Navigate to the configuration update utility located by default in the installation subdirectory of 
the User Application. 
2 At a command prompt, launch the configuration update utility: 


configupdate.sh 


3 Specify the values as described in Chapter 5.2, “Configuring the Settings for the Identity 
Applications,” on page 62. 


Migrating the Identity Manager Engine to a New 
Server 


When migrating the Identity Manager engine to a new server, you can keep the eDirectory replicas 
that you currently use on the old server. 

1 Install a supported version of eDirectory on the new server. 

2 Copy the eDirectory replicas that are on the current Identity Manager server to the new server. 


For more information, see “Administering Replicas” in the NetIQ eDirectory Administration 
Guide. 


3 Install the Identity Manager engine on the new server. 


For more information, see Chapter 3, “Installing Identity Manager,” on page 37. 
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10.5.1 


10.5.2 


10.5.3 


Migrating the User Application Driver 


When upgrading to a new version of Identity Manager or migrating to a different server, you might 
need to import a new base package for the User Application driver, or upgrade the existing package. 
For example, User Application Base Version 2.2.0.20120516011608. 


When you begin working with an Identity Manager project, Designer automatically prompts you to 
import new packages into the project. You can also manually import the package at that time. 


Importing a New Base Package 


1 Open your project in Designer. 
2 Right-click Package Catalog > Import Package, then select the appropriate package. 


3 (Conditional) If the Import Package dialog does not list the User Application Base package, 
complete the following steps: 


3a Click the Browse button. 


3b Navigate to designer_root/packages/eclipse/plugins/ 
NOVLUABASE_version_of_latest_package. jar. 


3c Click OK. 
4 Click OK. 


Upgrading an Existing Base Package 


1 Open your project in Designer. 
2 Right-click the User Application Driver. 
3 Click Driver > Properties > Packages. 


If the base package can be upgraded, the application displays a check mark in the Upgrades 
column. 


Click Select Operation for the package that indicates there is an upgrade available. 
From the drop-down list, click Upgrade. 

Select the version to which you want to upgrade. Then click OK. 

Click Apply. 

Fill in the fields with appropriate information to upgrade the package. Then click Next. 
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Read the summary of the installation. Then click Finish. 
10 Close the Package Management page. 


11 Deselect Show only applicable package versions. 


Deploying the Migrated Driver 


The driver migration is not complete until you deploy the User Application driver to the Identity Vault. 
After the migration, the project is in a state in which only the entire migrated configuration can be 
deployed. You cannot import any definitions into the migrated configuration. After the entire migration 
configuration has been deployed, this restriction is lifted, and you can deploy individual objects and 
import definitions. 


1 Open the project in Designer and run the Project Checker on the migrated objects. 
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For more information, see “Validating Provisioning Objects” in the NetIQ Identity Manager - 
Administrator's Guide to Designing the Identity Applications. If validation errors exist for the 
configuration, you are informed of the errors. These errors must be corrected before you can 
deploy the driver. 


2 In the Outline view, right-click the User Application driver. 
3 Select Deploy. 


4 Repeat this process for each User Application driver in the driver set. 


10.6 Completing the Migration of the Identity 


Applications 


After upgrading or migrating the identity applications, complete the migration process. 


10.6.1 Preparing an Oracle Database for the SQL File 
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During the installation process, you might have chosen to write a SQL file to update the identity 
applications database. If your database runs on an Oracle platform, you must perform some steps 
before you can run the SQL file. 


1 Inthe database, run the following SQL statements: 


ALTER TABLE DATABASECHANGELOG ADD ORDEREXECUTED INT; 

UPDATE DATABASECHANGELOG SET ORDEREXECUTED = -1; 

ALTER TABLE DATABASECHANGELOG MODIFY ORDEREXECUTED INT NOT NULL; 
ALTER TABLE DATABASECHANGELOG ADD EXECTYPE VARCHAR(10); 

UPDATE DATABASECHANGELOG SET EXECTYPE = 'EXECUTED'; 

ALTER TABLE DATABASECHANGELOG MODIFY EXECTYPE VARCHAR(10) NOT NULL; 


2 Run the following updateSQL command: 


/opt/novell/idm/jre/bin/java -Xms256m -Xmx256m -Dwar.context.name=IDMProv 
-jar /opt/novell/idm/liquibase. jar 
--databaseClass=com.novell.soa.persist.liquibase.OracleUnicodeDatabase 
--driver=oracle.jdbc.driver.OracleDriver 
--classpath=/root/ojdbc8.jar:/opt/novell/idm/tomcat/server/IDMProv/deploy/ 
IDMProv.war 

- -changeLogFile=DatabaseChangeLog. xml 

--url="jdbcURL" --logLevel=debug 

--logFile=/opt/novell/idm/db.out --contexts="prov,updatedb" --username=xxxx 
--password=xxxx updateSQL > /opt/novell/idm/db.sql 


3 Ina text editor, open the SQL file, by default in the /installation_path/userapp/sql 
directory. 


4 Insert a backslash (/) after the definition of the function CONCAT_BLOB. For example 


-- Changeset icfg-data-load. xml: :700: :IDMRBPM 
CREATE OR REPLACE FUNCTION CONCAT_BLOB(A IN BLOB, B IN BLOB) RETURN BLOB AS 

C BLOB; 

BEGIN 
DBMS_LOB.CREATETEMPORARY(C, TRUE); 
DBMS_LOB.APPEND(C, A); 
DBMS_LOB.APPEND(C, B); 
RETURN c; 

END; 
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5 Execute the SQL file. 


NOTE: Do not use SQL*Plus to execute the SQL file. The line lengths in the file exceed 4000 
characters. 


10.6.2 Flushing the Browser Cache 


Before you log in to the identity applications, you should flush the cache on the browser. If you do not 
flush the cache, you might experience some runtime errors. 


10.6.3 Updating the Maximum Timeout Setting for the 
SharedPagePortlet 


If you have customized any of the default settings or preferences for the SharedPagePortlet, then it 
has been saved to your database and this setting will get overwritten. As a result, navigating to the 
Identity Self-Service tab might not always highlight the correct Shared Page. To be sure that you do 
not have this problem, complete the following steps: 

Log in as a User Application Administrator. 

Navigate to Administration > Portlet Administration. 

Expand Shared Page Navigation. 

In the portlet tree on the left, click Shared Page Navigation. 

On the right side of the page, click Settings. 

Ensure that Maximum Timeout is set to 0. 
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Click Save Settings. 


10.6.4 Disabling the Automatic Query Setting for Groups 


By default, the DNLookup Display for the Group entity in the Directory Abstraction Layer is enabled. 
This means that whenever the object selector is opened for a group assignment, all the groups are 
displayed by default without the need to search them. You should change this setting, since the 
window to search for groups should be displayed without any results until the user provides input for 
search. 


You can change this setting in Designer by unchecking Perform Automatic Query, as shown below: 
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~ @ User 
Ø Department 
A Direct Reports 
@ Email 
@ First Name 
@ Hidden attribute List 
A Last Name 
@ Manager 
@ Preferred Notification 
@ Query List 
Ø Region 
Ø Telephone Number 
@ Title 
Ø User Photo 
@, User Preferences 

> @ User Lookup 

’ A Lists 


| 


an expression: 


Literal String: | 
Expression: | Ke 


~ Ul Control 
Specify any formatting or special controls used in displaying 
the attribute: 


Data Type: [DN S | 
Format Type: | <None> A 
Control Type: | DNLookup A 


~ DNLookup Display 
Select the Entity and Attributes to display for 
the Lookup operation: 


Lookup Entity: Group S | 
Lookup Attributes 
+ |Description cj 3 


O Perform Automatic Query 


uncheck this if you don't want the autoquery 
to occur 


10.7 Migrating Identity Reporting 


Migrating from a previous version of Identity Manager involves migration of Identity Reporting. Ensure 
that you incorporate the following considerations: 


10.7.1 


¢ Manually migrate the Event Auditing Service data to PostgreSQL database. 


¢ Clean-up the existing Reporting installation. 


+ Perform a new installation of Identity Reporting 4.7 on the new server. 


¢ Specify the installation location of the existing authentication service and Identity Vault for the 
newly installed Identity Reporting. 


Migrating from Event Auditing Service to Sentinel Log 


Management for IGA 


This section provides information about migrating the SIEM data from the EAS database toa 


supported PostgreSQL database. 


You must create the required roles and table spaces to ensure there are no failures during migration. 


Prepare the New PostgreSQL Database 


1 Stop EAS to ensure that none of the events are sent to the EAS server. 
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2 Using iManager, stop the DCS driver: 


2a 
2b 


Log in to iManager. 
Stop the DCS driver. 


2c Edit the driver properties to change the startup option to Manual. 


This step ensures that the driver does not start automatically. 


3 Run the following SQL commands to create the required roles, table space, and database using 
PGAdmin. 


This step ensures there are no failures during migration. 


3a 


3b 


Run the following commands to create the required roles: 


CREATE ROLE esec_app 
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE; 


CREATE ROLE esec_user 
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE; 


CREATE ROLE admin LOGIN 
ENCRYPTED PASSWORD '<specify the password for 
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE; 
GRANT esec_user TO admin; 


CREATE ROLE appuser LOGIN 
ENCRYPTED PASSWORD '<specify the password for 
NOSUPERUSER INHERIT NOCREATEDB CREATEROLE,; 
GRANT esec_app TO appuser; 


CREATE ROLE dbauser LOGIN 
ENCRYPTED PASSWORD '<specify the password for 
SUPERUSER INHERIT CREATEDB CREATEROLE; 


CREATE ROLE idmrptsrv LOGIN 
ENCRYPTED PASSWORD '<specify the password for 
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE,; 
GRANT esec_user TO idmrptsrv; 


CREATE ROLE idmrptuser LOGIN 
ENCRYPTED PASSWORD '<specify the password for 
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE,; 


CREATE ROLE rptuser LOGIN 
ENCRYPTED PASSWORD '<specify the password for 
NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE,; 
GRANT esec_user TO rptuser; 


Run the following command for creating table spaces: 


CREATE TABLESPACE sendatal 
OWNER dbauser 


LOCATION '<provide the location where table space has to be created>'; 


For example, 


CREATE TABLESPACE sendatal 
OWNER dbauser 


admin>' 


appuser>' 


dbauser>' 


idmrptsrv>' 


idmrptuser>' 


rptuser>' 


LOCATION '</opt/netiq/idm/apps/postgres/data>'; 
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3c Run the following command for creating a SIEM database: 


CREATE DATABASE "SIEM" 

WITH OWNER = dbauser 
ENCODING = 'UTF8' 
TABLESPACE = sendatal 
CONNECTION LIMIT = -1; 


Export Data from EAS 


1 Stop EAS to ensure that none of the events are sent to the EAS server. 
2 Using iManager, stop the DCS driver: 
2a Log in to iManager. 
2b Stop the DCS driver. 
2c Edit the driver properties to change the startup option to Manual. 
This step ensures that the driver does not start automatically. 
3 Export the data from EAS database to a file: 
3a Log in to the EAS user account: 
# su - novleas 
3b Specify a location where the EAS user has full access, for example, /home/novleas. 
3c Navigate to the PostgreSQL installation directory and execute the following commands: 
For example, 
export PATH=/opt/novell/sentinel_eas/3rdparty/postgresql/bin/:$PATH 


export LD_LIBRARY_PATH=/opt/novell/sentinel_eas/3rdparty/postgresql/1lib/ 
: $LD_LIBRARY_PATH 


3d Export the data to a .sq1 file using the following command: 
./pg_dump -p <portnumber> -U <username> -d <dbname> -f <export location> 
For example, 
./pg_dump -p 15432 -U dbauser SIEM -f /home/novleas/SIEM.sql 


Import Data into the New PostgreSQL Database 


1 Stop EAS to ensure that none of the events are sent to the EAS server. 
2 Using iManager, stop the DCS driver: 
2a Log in to iManager. 
2b Stop the DCS driver. 
2c Edit the driver properties to change the startup option to Manual. 
This step ensures that the driver does not start automatically. 
3 Import the data to the new PostgreSQL database: 
3a (Conditional) Create a postgres user. 
This is specific to Windows only. A user is automatically created on Linux. 


3b Copy the file exported in Step 3d to a location to which the postgres user has full access. 
For example, /opt/netigq/idm/postgres 


3c Execute the following command to import data to the PostgreSQL database. 


psql -d <dbname> -U <username> -f <full path where the exported file is 
located> 
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For example, 
psql -d SIEM -U postgres -f /opt/netigq/idm/apps/postgres/SIEM.sql 


4 Check for any migration log errors and resolve them. 


NOTE: The Identity Manager 4.7 reports will not use the audit data that is migrated from EAS to SLM 
for IGA. Instead, these reports will use the audit data that is directly synchronized from SLM for IGA. 


10.7.2 Setting up the New Reporting Server 


After importing the EAS data to the new PostgreSQL database, install a new Reporting application on 
a different server and point it to Identity Vault and the existing authentication service. 
1 Stop the existing Tomcat service (running your existing Reporting application). 


2 Create a back-up of your existing Identity Reporting WAR files from tomcat/webapps directory 
and Reporting Home from /opt/netigq/idm/apps/ outside of the Tomcat installation path 


3 Remove the EAS entries from the existing server .xm1 file. 
4 Create a new database in the same PostgreSQL database where EAS data the is migrated. 


5 Install and configure Identity Reporting on the new server and point it to the existing single sign- 
on service and Identity Vault. For more information, see Chapter 4, “Configuring Identity 
Manager Engine, Identity Applications, and Identity Reporting,” on page 53. 


6 To point the existing single sign-on service to the newly installed Identity Reporting, modify the 
Identity Reporting configuration entries using the configuration update utility. 


7 Restart the Tomcat server running the existing single sign-on service. 


10.7.3 Creating the Data Synchronization Policy 


After the Reporting server is configured, you need to create the data synchronization policy for 
forwarding events from SLM for IGA to the Reporting database. The following considerations apply 
when upgrading to Identity Reporting 4.7. 


NOTE 


¢ If you are upgrading from Identity Reporting 4.5.6 to Identity Reporting 4.7, then you need to 
create a new policy in the Identity Manager Data Collections Services page. For more 
information, see About the Data Sync Policies tab section of the Administrator Guide to NetIQ 
Identity Reporting. 


+ If you are upgrading from Identity Reporting 4.6.x to Identity Reporting 4.7, follow the steps from 
Identity Manager Upgrade Issues of the NetIQ Identity Manager 4.7 Release Notes . 
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Deploying Identity Manager for High 
Availability 


High availability ensures efficient manageability of critical network resources including data, 
applications, and services. NetIQ supports high availability for your Identity Manager solution through 
clustering or Hypervisor clustering, such as VMWare Vmotion. When planning a high-availability 
environment, the following considerations apply: 
+ You can install the following components in a high-availability environment: 

¢ Identity Vault 

¢ Identity Manager engine 

+ Remote Loader 

¢ Identity applications, except Identity Reporting 


+ To manage the availability of your network resources for your Identity Manager environment, use 
the SUSE Linux Enterprise High Availability Extension with SUSE Linux Enterprise Server 


(SLES) 12 SP2 or later with the latest patches installed. 
+ When you run the Identity Vault in a clustered environment, the Identity Manager engine is also 


clustered. 

For more information about... See... 

Determining the server configuration for Identity see High Availability Configuration in NetIQ Identity 

Manager components Manager Overview and Planning Guide - Work-In- 
Progress DRAFT. 

Running the Identity Vault in a cluster Sample Identity Manager Cluster Deployment 
Solution on SLES 12 SP2 
Deploying eDirectory on High Availability Clusters in 
the NetIQ eDirectory Installation Guide 

Running the identity applications in a cluster Sample Identity Applications Cluster Deployment 


Solution on Tomcat Application Server 


For more information on implementing high availability and disaster recovery in your Identity Manager 
environment, contact NetIQ Technical Support (https://www.netiq.com/support/). 


This following chapters provide the steps for installing and configuring Identity Manager components 
in a high availability environment: 


+ Chapter 11, “Sample Identity Manager Cluster Deployment Solution on SLES 12 SP2,” on 
page 149 


¢ Chapter 12, “Sample Identity Applications Cluster Deployment Solution on Tomcat Application 
Server,” on page 157 
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Sample Identity Manager Cluster 
Deployment Solution on SLES 12 SP2 


The chapter provides step-by-step instructions on how to configure eDirectory and Identity Manager 
into a supported SUSE Linux Enterprise Server (SLES) cluster environment with shared storage and 
an example of a clustered Identity Manager deployment. 


¢ Section 11.1, “Prerequisites,” on page 149 


¢ Section 11.2, “Installation Procedure,” on page 150 


For a production-level Linux High Availability (HA) solution with shared storage, implementing a 
fencing mechanism in the cluster is recommended. Although there are different methods of 
implementing fencing mechanisms in the cluster, in our example, we use a STONITH resource which 
uses the Split Brain Detector (SBD). 


Figure 11-1 on page 149 shows a sample cluster deployment solution. 


Figure 11-1 Sample cluster deployment solution 
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11.1 Prerequisites 


+ Two servers running SLES 12 SP2 64-bit for nodes 
+ One server running SLES 12 SP2 64-bit for iSCSI Server 
¢ SLES12 SP2 64-bit HA extension ISO image file 
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11.2 


11.2.1 


+ Six static IPs: 
+ Two static IP addresses for each node. 


+ One static IP address for the cluster. This IP address is dynamically assigned to the node 
currently running eDirectory. 


+ One IP address for iSCSI Server. 


Installation Procedure 


This section explains the procedure to install and configure the following to set up the cluster 
environment. For more infomration about configuring the SLES High Availability Extension, see the 
SUSE Linux Enterprise High Availability Extension guide. 


Configuring the iSCSI Server 


An iSCSI target is a device that is configured as a common storage for all nodes in a cluster. It is a 
virtual disk that is created on the Linux server to allow remote access over an Ethernet connection by 
an iSCSI initiator.An iSCSI initiator is any node in the cluster that is configured to contact the target 
(iSCSI) for services. The iSCSI target should be always up and running so that any host acting as an 
initiator can contact the target. Before installing iSCSI target on the iSCSI server, ensure that the 
iSCSI target has sufficient space for a common storage. Install the iSCSI initiator packages on the 
other two nodes after installing SLES 12 SP2. 


During the SLES 12 SP2 installation: 


1 Create a separate partition and specify the partition path as the iSCSI shared storage partition. 


2 Install the iSCSI target packages. 
To configure the iSCSI server: 


Create a block device on the target server. 

Type the yast2 disk command in terminal. 

Create a new Linux partition, and select Do not format. 

Select Do not mount the partition. 

Specify the partition size. 

Type the yast2 iscsi-server or yast2 iscsi-lio-server command in terminal. 
Click the Service tab, then select When Booting in the Service Start option. 


In the Targets tab, click Add to enter the partition path (as created during the SLES installation). 


oO ON OO FF WY FP 


In the Modify iSCSI Target Initiator Setup page, specify iSCSI client initiator host names for the 
target server and then click Next. 


For example, iqn.sles12sp2node2.com and iqn.sles12sp2node3.com. 
10 Click Finish. 


11 Runthe cat /proc/net/iet/volume command in the terminal to verify if the iSCSI target is 
installed 
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11.2.2 Configuring the iSCSI initiator on all Nodes 


You must configure the iSCSI initiator on all cluster nodes to connect to the iSCSI target. 
To configure the iSCSI initiator: 


Install the iSCSI initiator packages. 
Run the yast2 iscsi-client in terminal. 
Click the Service tab and select When Booting in the Service Start option. 


Click the Connected Targets tab, and click Add to enter the IP address of the iSCSI target 
server. 


Bh WN RF 


Select No Authentication. 

Click Next, then click Connect. 

Click Toggle Start-up to change the start-up option from manual to automatic, then click Next. 
Click Next, then click OK. 


To check the status of the connected initiator on the target server, run the cat /proc/net/iet/ 
session command on the target server. The list of initiators that are connected to iSCSI server 
are displayed. 


o ON OO UW 


11.2.3 Partitioning the Shared Storage 


Create two shared storage partitions: one for SBD and the other for Cluster File System. 
To partition the shared storage: 


1 Run the yast2 disk command in terminal. 


2 Inthe Expert Partitioner dialog box, select the shared volume. In our example, select sdb from 
the Expert Partitioner dialog box. 


3 Click Add, select Primary partition option, and click Next. 


4 Select Custom size, and click Next. In our example, the custom size is 100 MB. 


ol 


Under Formatting options, select Do not format partition. In our example, the File system ID is 
0x83 Linux. 


Under Mounting options, select Do not mount partition, then click Finish. 
Click Add, then select Primary partition. 
Click Next, then select Maximum Size, and click Next. 


O ON 


In Formatting options, select Do not format partition. In our example, specify the File system ID 
as 0x83 Linux. 


10 In Mounting options, select Do not mount partition, then click Finish. 


11.2.4 Installing the HA Extension 


To install the HA extension: 


1 Go to the SUSE Downloads website. 


SUSE Linux Enterprise High Availability Extension (SLE HA) is available for download for each 
available platform as two ISO images. Media 1 contains the binary packages and Media 2 
contains the source code. 
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NOTE: Select and install the appropriate HA extension ISO file based on your system 
architecture. 


Download the Media 1 ISO file on each server. 
Open YaST Control Center dialog box, click Add-on products > Add. 


Click Browse and select the DVD or local ISO image, then click Next. 


ao Aà WN 


In the Patterns tab, select High Availability under Primary Functions. 
Ensure that all the components under high availability are installed. 
6 Click Accept. 


11.2.5 Setting up Softdog Watchdog 


In SLES HA Extension, the Watchdog support in the kernel is enabled by default. It is shipped with a 
number of different kernel modules that provide hardware-specific watchdog drivers. The appropriate 
watchdog driver for your hardware is automatically loaded during system boot. 
1 Enable the softdog watchdog: 
echo softdog > /etc/modules-load.d/watchdog.conf 
systemctl restart systemd-modules-load 
2 Test if the softdog module is loaded correctly: 


lsmod | grep dog 
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This example assumes that you are configuring two nodes in a cluster. 
Setting up the first node: 


1 Log in as root to the physical or virtual machine you want to use as cluster node. 
2 Run the following command: 
ha-cluster-init 


The command checks for NTP configuration and a hardware watchdog service. It generates the 
public and private SSH keys used for SSH access and Csync2 synchronization and starts the 
respective services. 


3 Configure the cluster communication layer: 
3a Enter a network address to bind to. 


3b Enter a multicast address. The script proposes a random address that you can use as 
default. 


3c Enter a multicast port. By default, the port is 5405. 
4 Set up SBD as the node fencing mechanism: 
4a Press y to use SBD. 


4b Enter a persistent path to the partition of your block device that you want to use for SBD. 
The path must be consistent for both the nodes in the cluster. 
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5 Configure a virtual IP address for cluster administration: 
5a Press y to configure a virtual IP address. 


5b Enter an unused IP address that you want to use as administration IP for SUSE Hawk GUI. 
For example, 192.168.1.3. 


Instead of logging in to an individual cluster node, you can connect to the virtual IP address. 


Once the first node is up and running, add the second cluster node using the ha-cluster-join 
command. 


Setting up the second node: 


1 Log in as root to the physical or virtual machine through which you want to connect to the cluster. 
2 Run the following command: 
ha-cluster-join 


If NTP is not configured, a message appears. The command checks for a hardware watchdog 
device and notifies if it is not present. 


3 Enter the IP address of the first node. 
4 Enter the root password of the first node. 


5 Log in to SUSE Hawk GUI and then click Status > Nodes. For example, https: // 
192.168.1.3:7630/cib/live. 


sQ Nodes @ 
Status Name Maintenance Standby Operations 
a SLES12SP2-Node1 D D ~3Q 
oe SLES12SP2-Node2 J J -9Q 


11.2.7 Installing and Configuring eDirectory and Identity Manager 
on Cluster Nodes 


1 Install eDirectory on cluster nodes: 


Install a supported version of eDirectory. For step-by-step instructions to configure eDirectory on 
a HA cluster, see “Deploying eDirectory on High Availability Clusters” in the eDirectory 
Installation Guide. 


IMPORTANT: Ensure that the virtual IP is configured on the Node1 before you install eDirectory 
on Node1. 


2 Install Identity Manager on Node 1 using the Metadirectory Server option. 
3 Install Identity Manager engine on Node 2 Server using the DCLUSTER_INSTALL option. 
Runthe ./install.bin -DCLUSTER_INSTALL="true" command in the terminal. 


The installer installs the Identity Manager files are installed without any interaction with 
eDirectory. 
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11.2.8 Configuring the eDirectory Resource 


1 Log in to SUSE Hawk GUI. 


2 Click Add Resource and create a new group. 


2a Click © next to the Group. 
2b Specify a group ID. For example, Group-1. 
Ensure that the following child resources are selected when you create a group: 
¢ stonith-sbd 
+ admin_addr (Cluster IP address) 
3 In the Meta Attributes tab, set the target-role field to Started and is-managed field to Yes. 


4 Click Edit Configuration and then click # next to the group you created in step 2. 
5 In the Children field, add the following child resources: 

+ shared-storage 

+ eDirectory-resource 

For example, the resources should be added in the following order within the group: 

¢ stonith-sbd 

+ admin_adoar (Cluster IP address) 

+ shared-storage 

+ eDirectory-resource 


You can change the resource names if necessary. Every resource has a set of parameters that 
you need to define. For information about examples for shared-storage and eDirectory 
resources, see Primitives for eDirectory and Shared Storage Child Resources. 


11.2.9 Primitives for eDirectory and Shared Storage Child 
Resources 


The stonith-sbd and admin_addr resources are configured by HA Cluster commands by default when 
initializing the cluster node. 


Table 11-1 Example for shared-storage 


Resource ID Name of the shared storage resource 
Class ocf 

Provider heartbeat 

Type Filesystem 

device /dev/sdc1 

directory /shared 

fstype xfs 

Operations + start (60, 0) 


+ stop (60, 0) 
+ monitor (40, 20) 
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is-managed Yes 
resource-stickiness 100 


target-role Started 


Table 11-2 Example for eDirectory-resource 


Resource ID Name of the eDirectory resource 

Class systemd 

Type ndsdtmpl-shared-conf-nds.conf@-shared-conf-env 
Operations + start (100, 0) 


+ stop (100, 0) 
+ monitor (100, 60) 


target-role Started 
is-managed Yes 
resource-stickiness 100 
failure-timeout 125 
migration-threshold 0 


11.2.10 Changing the Location Constraint Score 


Change the location constraint score to 0. 


1 Log in to SUSE Hawk GUI. 
2 Click Edit Configuration. 


3 In the Constraints tab, click # next to the node 1 of your cluster. 
4 Inthe Simple tab, set the score to 0. 
5 Click Apply. 


Ensure that you set the score to O for all the nodes in your cluster. 


NOTE: When you migrate the resources from one node to another from the SUSE Hawk GUI using 
the Status > Resources > Migrate option, the location constraint score will change to /nfinity or - 
Infintity. This will give preference to only one of the nodes in the cluster and will result in delays in 
eDirectory operations. 
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Sample Identity Applications Cluster 
Deployment Solution on Tomcat 
Application Server 


This chapter provides instructions on how to configure the identity applications into a cluster 
environment on Tomcat with an example deployment. 


Clustering allows you to run the identity applications on several parallel servers (cluster nodes) to 
achieve high availability. To build a cluster, you need to group several Tomcat instances (nodes) 
together. The load is distributed across different servers, and even if any of the servers fail, the 
identity applications are accessible through other cluster nodes. For failover, you can create a cluster 
of the identity applications and configure them to act as a single server. However, this configuration 
does not include Identity Reporting. 


It is recommended to use a load balancer software that processes all user requests and dispatches 
them to the server nodes in the cluster. The load balancer is typically part of the cluster. It 
understands the cluster configuration as well as failover policies. You can select a solution that best 
suits you. 


Figure 12-1 shows a sample deployment with a two-node cluster with the following assumptions: 


¢ All the communication is routed through the load balancer. 


+ Components such as Identity Manager engine and the User Application are installed on separate 
servers. This is a recommended approach for a production-level deployment. 


+ You are familiar with the installation procedures for eDirectory, Identity Manager engine, identity 
applications, Tomcat application server, and databases for the User Application. 


+ SSPR (Single Sign-On Password Reset) is installed on a separate computer. For a production- 
level deployment, this is the recommended approach. 


+ PostgreSQL is used as a database for the User Application. However, you can use any of the 
supported databases, such as Oracle or MSSQL. 


+ All the User Application nodes communicate to the same instance of eDirectory and the User 
Application database. Based on your requirement, you can increase the number of User 
Application instances. 
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Figure 12-1 Sample cluster deployment solution 
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NOTE: A two-node cluster is the minimum configuration used for high availability. However, the 
concepts in this section can easily be extended to a cluster with additional nodes. 


To help you understand the step-by-step configuration, this sample deployment is referred throughout 
the subsequent sections of the document. 


12.1 Prerequisites 


You can install the database for the identity applications in an environment supported by Tomcat 
clusters with the following considerations: 


+ The cluster must have a unique cluster partition name, multicast address, and multicast port. 
Using unique identifiers separates multiple clusters to prevent performance problems and 
anomalous behavior. 


+ For each member of the cluster, you must specify the same port number for the listener port 
of the identity applications database. 


+ For each member of the cluster, you must specify the same hostname or IP address of the 
server hosting the identity applications database. 


+ Clock time is synchronized among the servers in the cluster. Otherwise, sessions might time out 
early, causing HTTP session failover not to work properly. 


+ NetIQ recommends to not use multiple log ins across browser tabs or browser sessions on the 
same host. Some browsers share cookies across tabs and processes, so allowing multiple 
logins might cause problems with HTTP session failover (in addition to risking unexpected 
authentication functionality if multiple users share a computer). 
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12.2 


12.2.1 


12.2.2 


12.2.3 


+ The cluster nodes reside in the same subnet. 
+ A failover proxy or a load balancing solution is installed on a separate computer. 


Preparing a Cluster 


The identity applications supports HTTP session replication and session failover. If a session is in 
process on a node and that node fails, the session can be resumed on another server in the cluster 
without intervention. Before installing the identity applications in a cluster, you should prepare the 
environment. 


¢ Section 12.2.1, “Understanding Cluster Groups in Tomcat Environments,” on page 159 


¢ Section 12.2.2, “Setting System Properties for Workflow Engine IDs,” on page 159 


¢ Section 12.2.3, “Using the Same Master Key for Each User Application in the Cluster,” on 
page 159 


Understanding Cluster Groups in Tomcat Environments 


The User Application cluster group uses a UUID name to minimize the risk of conflicts with other 
cluster groups that users might add to their servers. You can modify the configuration settings for 
User Application cluster group using the User Application administration features. Changes to the 
cluster configuration take effect for a server node only when you restart that node. 


Setting System Properties for Workflow Engine IDs 


Each server that hosts the identity applications in the cluster can run a workflow engine. To ensure 
performance of the cluster and the workflow engine, every server in the cluster should use the same 
partition name and partition UDP group. Also, each server in the cluster must be started with a unique 
ID for the workflow engine, because clustering for the workflow engine works independently of the 
cache framework for the identity applications. 


To ensure that your workflow engines run appropriately, you must set system properties for Tomcat. 


1 Create a new JVM system property for each identity applications server in the cluster. 


2 Name the system property com.novell.afw.wf.engine-id where the engine ID is a unique 
value. 


Using the Same Master Key for Each User Application in the 
Cluster 


The identity applications encrypt sensitive data using a master key. All identity applications in a 
cluster must use the same master key. This section helps you ensure that all identity applications ina 
cluster use the same master key. 


For more information about encrypting sensitive data in the identity applications, see Encrypting 
Sensitive Identity Applications Data in the NetIQ Identity Manager - Administrator’s Guide to the 
Identity Applications. 


1 Install the User Application on the first node in the cluster. 


2 In the Security - Master Key window of the installation program, note the location of the master - 
key. txt file that will contain the new master key for the identity applications. By default, the file 
is in the installation directory. 
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3 Install the identity applications on the other nodes in the cluster. 
4 Inthe Security - Master Key window, click Yes and then click Next. 


5 In the Import Master Key window, copy the master key from the text file that was created in 
Step 2. 


12.3 Installation Procedure 


This section provides step-by-step instructions of installing a new instance of the identity applications 
on Tomcat and then configuring it for clustering. 


1. Install the Identity Manager 4.7 engine. For step-by-step instructions, see Section 3.2, “Installing 
Identity Manager Engine,” on page 38. For a production-level deployment, it is recommended to 
install Identity Manager engine on a separate server. 


2. Install database for Identity Applications. You can use the PostgreSQL database installed with 
the Identity Applications. However, It is recommended to install database on a separate server. 


3. On Node1, install and configure Identity Applications. 
During the installation, ensure that you: 
+ select the new database option 
+ provide a unique Workflow Engine ID. For example, Node1. 


+ have the database jar file available in all the User Application nodes in the cluster. For 
PostgreSQL, the postgresql-9.4.1212.jar is located at /opt/netiq/idm/postgres. 


Identity Applications encrypt sensitive data using a master key. The installation program will 
create a new master key during Identity Applications configuration. In a cluster, the User 
Application clustering requires every instance of the User Application to use the same master 
key. Master key is stored under the property com.novell.idm.masterkey in the ism- 
configuration. properties file located at /opt/netigq/idm/apps/tomcat/conf/directory. 


For detailed instructions, see Section 3.3, “Installing Identity Applications,” on page 39. 
4. On Node2, install and configure Identity Applications. 
During the installation, ensure that you: 
+ select the existing database option 
+ provide a unique Workflow Engine ID. For example, Node2. 


+ have the database jar file available in all the User Application nodes in the cluster. For 
PostgreSQL, the postgresql-9.4.1212.jar is located at /opt/netiq/idm/postgres. 


After completing the Node2 UserApplication configuration,copy the master key value from the 
Node1 ism-configuration.properties and replace the corresponding master key value 
stored in Node 2 's ism-configuration. properties. 


Master key is stored under the property com.novell.idm.masterkey in the ism- 
configuration. properties(/opt/netig/idm/apps/tomcat/conf/). 


5. Install SSPR on a separate computer. 


Before installing, make a note of the following settings and specify them during the installation 
process: 


After completing the SSPR installation, start Tomcat and launch SSPR (http: //<IP>:<port>/ 
sspr/private/config/ConfigEditor) and log in. Click Configuration Editor > Settings > 
Security > Redirect Whitelist. 


a. Click Add value and specify the following URL: 
OSP: http://<dns of the failover>:<port>/osp 
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10. 


b. Save the changes. 


c. In the SSPR Configuration page, click Settings > OAuth SSO and modify the OSP links by 
replacing the IP addresses with the DNS name of the server where the load balancer 
software is installed. 


d. Click Settings > Application and update the forward and logout URLs by replacing the IP 
addresses with the DNS name of the server where the load balancer software is installed. 


e. To update the SSPR information on Node1, launch the Configuration utility located at /opt/ 
netigq/idm/apps/UserApplication/configupdate. sh. 


f. Click SSO clients > Self Service Password Reset and enter values for Client ID, Password, 
and OSP Auth Redirect URL parameters. For more information, see <TBD - provide a link 
to the book where you will have the Updating sspr links in the dashboard for distributed or 
clustered environments section> 


NOTE: Verify that the values for these parameters are updated in Node2. 


. In Node1, stop Tomcat and generate a new osp. jks file by specifying the DNS name of the load 


balancer server by using the following command: 


/opt/netiq/idm/jre/bin/keytool -genkey -keyalg RSA -keysize 2048 -keystore 
osp.jks -storepass <password> -keypass <password> -alias osp -validity 1800 - 
dname "cn=<loadbalancer IP/DNS>" 


For example: /opt/netiq/idm/jre/bin/keytool -genkey -keyalg RSA -keysize 2048 - 
keystore osp.jks -storepass changeit -keypass changeit -alias osp -validity 
1800 -dname "cn=mydnsname" 


NOTE: Ensure that the key password is the same as the one provided during OSP installation. 
You can use the Configuration Update utility to change the password. 


. (Conditional) To verify if the osp. jks file is updated with the changes, run the following 


command: 


/opt/netiq/idm/jre/bin/keytool -list -v -keystore osp.jks -storepass changeit 


. Take a backup of the original osp.jks file located at /opt/netiq/idm/apps/osp_sspr/osp/ 


and copy the new osp. jks file to this location. 


. Copy the new osp. jks file located at /opt/netiq/idm/apps/osp_sspr/osp/ from Node1 to 


other User Application nodes in the cluster. 


Launch the Configuration utility in Node1 and change all of the URL settings, such as URL link to 
landing page and OAuth Redirect URL to the load balancer DNS name under the SSO Client 
tab. 


a. Save the changes in the Configuration Update utility. 


b. To reflect this change in all other nodes of the cluster, copy the ism-configuration 
properties file located in /TOMCAT_INSTALLED_HOME/conf from Node? to other User 
Application nodes in the cluster. 


NOTE: You copied the ism. properties file from Node1 to the other nodes in the cluster. If 
you specified custom installation paths during the User Application installation, ensure that 
referential paths are corrected by using Configuration Update utility in the cluster nodes. 
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In this scenario, both OSP and User Application are installed on the same server; therefore, 
the same DNS name is used for redirect URLs. 


If OSP and User Application are installed on separate servers, change the OSP URLs toa 
different DNS name pointing to the load balancer. Do this for all the servers where OSP is 

installed. Doing this ensures that all OSP requests are dispatched through load balancer to 
the OSP cluster DNS name. This involves having a separate cluster for OSP nodes. 


11. Perform the following actions in the setenv. sh file located at /TOMCAT_INSTALLED_HOME/bin/ 
directory: 


a. 


To ensure that the mcast_addr binding is successful, JGroups requires that the 
preferIPv4Stack property be set to true. To do so, add the JVM property “- 
Djava.net.preferlPv4Stack=true” in the setenv. sh file in all nodes. 


. Add -Dcom.novell.afw.wf.Engine-id="Engine1" in the setenv. sh file on Node1. 


Similarly, add a unique engine name for each node of the cluster. For example, for Node2, 
you can add the engine name as Engine2. 


12. Enable clustering in the User Application. 


a. 


e. 
f. 


g. 


Start Tomcat on Node1. 
Do not start any other servers. 


. Log in to the User Application as a User Application administrator. 
. Click the Administration tab. 


The User Application displays the Application Configuration portal. 


. Click Caching. 


The User Application displays the Caching Management page. 
Select True for the Cluster Enabled property. 

Click Save. 

Restart Tomcat. 


NOTE: If you have selected Enable Local settings, repeat this procedure for each server in the 
cluster. 


The User Application cluster uses JGroups for cache synchronization across nodes using default 
UDP. In case you want to change this protocol to use TCP, see Portal Configuration Tasks in 
NetIQ Analyzer for Identity Manager Administration Guide. 


13. Enable the permission index for clustering. 


a. 


b 
c. 
d 


e. 


Log in to iManager on Node1 and navigate to View Objects. 


. Under System, navigate to the driver set containing the User Application driver. 


Select AppConfig > AppDefs > > Configuration 


. Select the XMLData attribute and set the com.netiq.idm.cis.clustered property to true. 


For example: 

<property> 
<key>com.netiq.idm.cis.clustered</key> 
<value>true</value> 

</property> 

Click OK. 


14. Enable Tomcat cluster. 


162 NetIQ Identity Manager Setup Guide for Linux 


Open the Tomcat server.xml file from /TOMCAT_INSTALLED_HOME/conf/ and uncomment this 
line in this file on all the cluster nodes: 


<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> 


For advanced Tomcat clustering configuration, follow the steps from https://tomcat.apache.org/ 
tomcat-8.5-doc/cluster-howto.html. 


15. Restart Tomcat on all the nodes. 
16. Configure the User Application Driver for clustering. 


In a cluster, the User Application driver must be configured to use the DNS name of the load 
balancer for the cluster. You configure the User Application driver using iManager. 


a. Log in to iManager that manages your Identity Manager engine. 

b. Click the Identity Manager node in the iManager navigation frame. 
c. Click Identity Manager Overview. 
d 


. Use the search page to display the Identity Manager Overview for the driver set that 
contains your User Application driver and Roles and Resource Service Driver. 


e. Click the round status indicator in the upper right corner of the driver icon: 


A menu is displayed that lists commands for starting and stopping the driver, and editing 
driver properties. 


f. Select Edit Properties. 


g. In the Driver Parameters section, change Host to the host name or IP address of the 
dispatcher. 


h. Click OK. 
i. Restart the driver. 


17. To change the URL of Roles and Resource Service Driver, repeat steps from 18a to 18f and click 
Driver Configuration and update the User application URL with the load balancer DNS name. 


18. Ensure session stickiness is enabled for the cluster created in the load balancer software for the 
User Application nodes. 


19. Configure the client settings on the Identity Manager Dashboard. For more information, see 
Configuring Client Settings Mode in the NetIQ Identity Manager - Administrator’s Guide to the 
Identity Applications. 
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13.1 


13.2 


Uninstalling Identity Manager 
Components 


This section describes the process for uninstalling the components of Identity Manager. Some 
components have prerequisites for uninstallation. Ensure that you review full section for each 
component before beginning the uninstallation process. 


NOTE: You must stop all services such as Tomcat, PostgreSQL, and ActiveMQ before uninstalling 
the Identity Manager components. 


Removing Objects from the Identity Vault 


The first step in uninstalling Identity Manager is to delete all Identity Manager objects from the Identity 
Vault. When the driver set is created, the wizard prompts you to make the driver set a partition. If any 
driver set objects are also partition root objects in eDirectory, the partition must be merged into the 
parent partition before you can delete the driver set object. 


To remove objects from the Identity Vault: 
1 Perform a health check on the eDirectory database, then fix any errors that occur before 
proceeding. 


For more information, see “Keeping eDirectory Healthy” in the NetiQ eDirectory Administration 
Guide. 


Log in to iManager as an administrator with full rights to the eDirectory tree. 
Select Partitions and Replica > Merge Partition. 
Browse to and select the driver set object that is the partition root object, then click OK. 


Wait for the merge process to complete, then click OK. 


O ao fF WwW N 


Delete the driver set object. 


When you delete the driver set object, the process deletes all the driver objects associated with 
that driver set. 


7 Repeat Step 3 through Step 6 for each driver set object that is in the eDirectory database, until 
they are all deleted. 


8 Repeat Step 1 to ensure that all merges completed and all of the objects have been deleted. 


Uninstalling the Identity Manager Engine 


The installer provides an uninstallation script for Identity Manager. This script allows you to remove all 
services, packages, and directories that were created during the installation. 


NOTE: Before uninstalling the Identity Manager engine, prepare the Identity Vault. For more 
information, see Section 13.1, “Removing Objects from the Identity Vault,” on page 165. 
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13.3 


13.4 


13.4.1 


To uninstall Identity Manager Engine: 


1 Navigate to the location where you have mounted the iso for installation. 

2 From the root directory of the .iso file, run the following command: 
./uninstall.sh 

3 Specify the components that you want to uninstall. 


For example, specify 1 to uninstall the Identity Manager Engine. You can also uninstall multiple 
components at a time. For example, specify 1, 2,3 to uninstall Identity Manager engine, Remote 
Loader, and Fanout Agent respectively. 


Uninstalling the Identity Applications 


1 Navigate to the location where you have mounted the . iso for installation. 
2 From the root directory of the .iso file, run the following command: 
./uninstall.sh 
3 Specify the components that you want to uninstall. 
For example, specify 1 to uninstall the Identity Applications. 


Uninstalling the Identity Reporting Components 


You must uninstall the Identity Reporting components in the following order: 


1. Delete the drivers. For more information, see Section 13.4.1, “Deleting the Reporting Drivers,” 
on page 166. 


2. Delete Identity Reporting. For more information, see Section 13.4.2, “Uninstalling Identity 
Reporting,” on page 167. 


3. Delete Sentinel. For more information, see Section 13.4.3, “Uninstalling Sentinel,” on page 167. 


NOTE: To conserve disk space, the installation programs for Identity Reporting do not install a Java 
virtual machine (JVM). Therefore, to uninstall one or more components, ensure that you have a JVM 
available and also make sure that the JVM is in the PATH. If you encounter an error during an 
uninstallation, add the location of a JVM to the local PATH environment variable, then run the 
uninstallation program again. 


Deleting the Reporting Drivers 


You can use Designer or iManager to delete the Data Collection and Managed System Gateway 
drivers. 


1 Stop the drivers. Depending on the component that you use, complete one of the following 
actions: 
+ Designer: For each driver, right-click the driver line, then click Live > Stop Driver. 


+ iManager: On the Driver Set Overview page, click the upper right corner of each driver 
image, then click Stop Driver. 


2 Delete the drivers. Depending on the component that you use, complete one of the following 
actions: 


+ Designer: For each driver, right-click the driver line, then click Delete. 
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+ iManager: On the Driver Set Overview page, click Drivers > Delete drivers, then click the 
driver that you want to delete. 


13.4.2 Uninstalling Identity Reporting 


Before deleting Identity Reporting, ensure you have deleted the Data Collection and Managed 
System Gateway drivers. For more information, see Section 13.4.1, “Deleting the Reporting Drivers,” 
on page 166. 
1 Navigate to the location where you have mounted the . iso for installation. 
2 From the root directory of the .iso file, run the following command: 
./uninstall.sh 
3 Specify the components that you want to uninstall. 
For example, specify 1 to uninstall Identity Reporting. 


13.4.3 Uninstalling Sentinel 


1 Log in to the Sentinel server. 

2 Navigate to the directory containing the uninstallation script: 
/opt/novell/sentinel/setup/ 

3 Execute the following command: 
./uninstall.sh 

4 When prompted to reconfirm that you want to proceed with the uninstall, press y. 


The script first stops the service and then removes it completely. 


13.5 Uninstalling Designer 


1 Close Designer. 
2 Uninstall Designer. 


Navigate to the directory containing the uninstallation script, by default 
<installation_directory>/designer/UninstallDesigner/Uninstall Designer for 
Identity Manager. 


To execute the script, enter ./uninstall 


13.6 Uninstalling Analyzer 


1 Close Analyzer. 
2 Uninstall Analyzer according to the operating system: 


Navigate to the Uninstall Analyzer for Identity Manager script, located by default in the 
<installation_directory>/analyzer/UninstallAnalyzer directory. 


To execute the script, enter ./Uninstall 
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1 4 Troubleshooting 


This section provides useful information for troubleshooting problems with installing Identity Manager. 
For more information about troubleshooting Identity Manager, see the guide for the specific 
component. 


14.1 Troubleshooting the User Application and RBPM 
Installation 


The following table lists the issues you might encounter and the suggested actions for working on 
these issues. If the problem persists, contact your NetIQ representative. 


Issue Suggested Actions 

When you enable CEF auditing for OSP from the Perform the following steps to workaround this issue: 
configupdate utility (configupdate.sh), your i : 

attempts to log in to IDMRPT fails. 1. Navigate to the ism- 


configuration.properties and 
idmrptcore_logging. xml file located at /opt/ 
netiq/idm/apps/tomcat/conf directory. 


2. Edit the ism-configuration.properties and 
idmrptcore_logging. xml file respectively. 


3. Change the values of 
com.netiq.ism.audit.cef.protocol and 
<protocol> from tcp to TCP in the ism- 
configuration.properties and 
idmrptcore_logging. xml file respectively. 


4. Restart Tomcat. 


If your Identity Applications and Identity Reporting are To clear the exceptions, manually restart Tomcat. 
installed on the same server and you choose the 

database creation option as Startup, you will notice 

some exceptions in the log. 


If your existing Identity Applications or Identity Once you upgrade Identity Applications and Identity 
Reporting configuration has been configured without Reporting to 4.7 version, perform the following steps: 
ports, and you try to upgrade to Identity Manager 4.7 

version, the IP address and ports mentioned under the 1. Navigate to the /opt/netigq/idm/apps/ 
Authentication and SSO Clients tab in the configupdate directory. 

configuration update utility displays incorrect values. 2. Run the following command: 


./configupdate.sh 


3. Inthe Authentication tab, specify the correct IP 
address and port in the OAuth server host 
identifier and OAuth server TCP port fields 
respectively. 


4. Inthe SSO Clients tab, ensure that URLs for 
IDM Administrator, Reporting, and IDM Data 
Collection Services are in correct format. 


5. Restart Tomcat. 
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Issue 


You want to modify one or more of the following the 
User Application configuration settings created during 
installation: 

¢ Identity Vault connections and certificates 

+ E-mail settings 


+ Identity Manager Engine User Identity and User 
Groups 


+ Access Manager or iChain settings 


Suggested Actions 


Run the configuration utility independent of the 
installer. 


Linux: Run the following command from the 
installation directory (by default, /opt/netiq/idm/ 
apps/configupdate/): 


./configupdate.sh 


Starting Tomcat causes the following exception: 


port 8180 already in use 


Shut down any instances of Tomcat (or other server 
software) that might already be running. If you 
reconfigure Tomcat to use a port other than 8180, edit 
the config settings for the User Application driver. 


When Tomcat starts, the application reports it cannot 
find trusted certificates. 


Ensure that you start Tomcat by using the JDK 
specified during the installation of the User Application. 


Cannot log in to the portal admin page. 


Ensure that the User Application Administrator 
account exists. This account is not the same as your 
iManager administrator account. 


Cannot create new users even with administrator 
account. 


The User Application Administrator must be a trustee 
of the top container and should have Supervisor rights. 
You can try setting the User Application 
Administrator’s rights equivalent to the LDAP 
Administrator’s rights (using iManager). 


Starting application server throws keystore errors. 


Your application server is not using the JDK specified 
during the installation of the User Application. 


Use the keytool command to import the certificate 
file: 


keytool -import -trustcacerts -alias 
aliasName -file certFile -keystore 
..\lib\security\cacerts -storepass changeit 


+ Replace aliasName with a unique name of your 
choice for this certificate. 


+ Replace certFile with the full path and name of 
your certificate file. 


+ The default keystore password is changeit (if 
you have a different password, specify it). 


Email notification not sent. 
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Run the configupdate utility to check whether you 
supplied values for the following User Application 
configuration parameters: Email From and Email 
Host. 


Linux: Run the following command from the 
installation directory (by default, /opt/netiq/idm/ 
apps/UserApplication/): 


./configupdate.sh 


14.2 Troubleshooting Login 


The following table lists the issues you might encounter and the suggested actions for working on 
these issues. If the problem persists, contact your NetIQ representative. 


Issue Suggested Actions 


User is unable to login in large scale environment (>2 Add an index for mail(Internet Mail Address) 
million objects) attribute with the rule set as Value in both eDirectory 
master and replica servers. 


When you sign out from Identity Applications page, Ignore this error. It does not cause any functionality 
SSPR shows an error 5053 loss. 
ERROR_APP_UNAVALTABLE. 


Challenge Responses are not prompted at the first 1. Ensure that the SSPR server has a certificate 
login to the Identity Applications created using FQDN. 


2. Log in to the User Application server and launch 
ConfigUpdate (/opt/netiq/idm/apps/ 
configupdate/ ) utility. 


3. Navigate to SSO Clients > Self Service 
Password Reset and make sure the settings are 
correct. 


If SSPR is installed on a separate server, make sure 
that the SSPR certificate is imported into idm. jks 
located in the User Application server at /opt/netiq/ 
idm/apps/tomcat/conf. 
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14.3 


Issue 


Browser displays a blank page when SSPR URL is 
accessing 


Error when ConfigUpdate utility is launched from a 
different directory 


Suggested Actions 


This occurs when SSPR is not properly configured 
with OSP. The SSPR log shows the following 
information: 


2018-01-24T22:24:02Z, ERROR, 
oauth.OAuthConsumerServlet, 5071 
ERROR_OAUTH_ERROR (unexpected error 
communicating with oauth server: 
password.pwm.error.PwmUnrecoverableException 
: 5071 ERROR_OAUTH_ERROR (io error during 
oauth code resolver http request to oauth 
server: Certificate for <IP> doesn't match 
any of the subject alternative names: [IP])) 


1. Verify that the Tomcat server where OSP is 
running has a valid certificate created using 
FQDN. Log in to the User Application server and 
launch ConfigUpdate utility. Navigate to SSO 
Clients > Self Service Password Reset and 
make sure the settings are correct. 


2. Log in to SSPR by overriding the OSP login 
method. (for example, https://<sspr 
sserver ip>:<port>/sspr/private/ 
Login?sso=false) 


3. Navigate to Configuration Editor in the top right 
corner of the page. 


4. Specify Configure Password, then click Sign In. 


5. Navigate to LDAP > LDAP Directories > 
Default > Connection. 


6. If the LDAP certificate is not correct, click Clear. 


7. To reimport the certificate, click Import From 
Server. 


8. Navigate to Settings >Single Sign On 
(SSO)Client > OAuth and verify that the 
certificate under OAUTH Web Service Server 
Certificate is correct. 


9. If the certificate is not correct, click Clear. 


10. To reimport the certificate, click Import From 
Server. 


The ConfigUpdate utility reports errors. It does not 
save any changes. For example, if you launch the 
configupdate utility using the /opt/netig/idm/ 
apps/configupdate/configupdate.sh command, 
it does not launch. 


Instead, navigate to the /opt/netiq/idm/apps/ 
configupdate/ directory and then run ./ 
configupdate.sh command. 


Troubleshooting Uninstallation 


The following table lists the issues you might encounter and the suggested actions for working on 
these issues. If the problem persists, contact your NetIQ representative. 
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Issue Suggested Actions 


Uninstallation process reports as incomplete but the The process failed to delete the netiq directory that 

log file shows no failures. contains the installation files by default. You can delete 
the directory if you have removed all NetIQ software 
from your computer. 
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